ML20113E569
| ML20113E569 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 12/12/1984 |
| From: | Altenbach T, Ariuska Garcia, Prassinos P LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20113E561 | List: |
| References | |
| NUDOCS 8504160524 | |
| Download: ML20113E569 (507) | |
Text
{{#Wiki_filter:. ENCLOSURE 2
.,--li
. yn
?4
's.W 1 1 A REVIEW OF THE SEABROOK STATION n PRC8A81LISTIC SAFETY ASSESSMENT
( Abel A. Garcia, Principal Investigator Oecemoer 12, 1984 Prepared by I
! T. J. Altenbach P. G. Prassinos A. A. Garcia J. B. Savy
! Lawrence Livermore National Laboratory
~
P. J. Anico Applied Risk Technology Corporation J. W. Reed 9. W. McCann Jr. Jack R. Benjamin & Associates Inc. P. R. Davis Consultant l
'( Lawrence Livermore National Laboratory l 7000 East Avenue - Livermore, CA 94550 -
t Prepared for
; Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Ccmission Washington, D. C. 20555 1 't i .1 I-
- i. ; .
l
. . ./ '
l 8504160524 850404 PDR ADOCK 05000443 A PDR
, .. , . . . - . . - =-
u
. . _ _ - _ . . - ~. ~_ - _- - - , . ._ - - - . . . - .
I
' TABLE OF CONTENTS Section Title Pace 1 EXECUTIVE
SUMMARY
1-1 1.1 Internal Events 1-3 1.2 External Events 1-7 1.2.1 Earthquakes 1-7 1.2.2 Fires 1-9 f 1.2.3 Aircraft Crash 1-10
! 1.2.4 Internal Flooding 1-11
- 3 1.2.5 External Flood 1-12
- ' i 1.2.6 Hazardous Chemicals and Transportation Events 1-13 1.2.7 Extreme Wind 1-13
!! 1-14
; 1.2.8 Turbine Missiles 1.3 References for Chapter 1 1-14 2 INTRODUCTION 2-1 ! 2.1 Background 2-1 2.2 Scope 2-2 2.3 Review Assumptions 2-2 2.4 Summary of Results Presented in the SSPSA 24 2.4.1 Questions Answered by the 2-5 PRA SSPSA i ,- 2.4.2 What was Considered in the
,j ~ ' Analysis-
- t 2.4.3 Results 2-6
!! 2.4.4 Key Findings and Insights 2-15 2.5 References for Chapter 2 2-17 3 INTERNAL EVENTS ANALYSIS ~3-1 l
2 3.1 Initiating Events 3-2 Lj 3.1.1 Completeness of Initiating li Events Considered 3-2 lI 3.1.2 Initiating Event Frequencies 3-12 d 3.1.3 Issues Directly Included as Initiating Events 3-22 [? 3.2 Event Trees 3-25 n-3.2.1 General Event Tree Findings 3-25 N ' 3.2.2 Specific Event Tree Findings 3-27 3.2.3 Issues of Importance to the NRC 3-47 1 3-52 3.3 Success Criteria 3.3.1 Emergency Core Cooling Early 3-53 3 , 3.3.2 Emergency Core Cooling Late 3-55 [.1 3-57
! 3.3.3 Containment Heat Removal
,; 3.3.4 Revised Success Criteria 3-57 3.3.5 References for Section 3.3 3-57
- j. 3.4 Systems 3.4-1 3.4.1 Electric Power System 3.4-7 3.4.2 Service Water System 3.4-12
,- 3.4.3 Primary Component Cooling
,_, Water System 3.4-19 3.4.4 Instrument Air System 3.4-25 l
'# *
- e. g -e g ._g
I i O TABLE OF CONTENTS (Continued) Title Page Section 3.4.5 Reactor Trip, Solid State Protection System, and Engineered Safety Features Actuation System 3.4-29
; [
1 ' 3.4.6 Containment Envlosure Air Hnadling System 3.4-46
~'j 3.4.7 Emergency Core Cooling System 3.4-50 3.4.8 Emergency Feedwater System 3.4-65 l
l- 3.4.9 Reactor Coolant Pressure Relief System 3.4-78 3.4.10 Main Steam System 3.4-80 3.4.11 Containment Building
' Spray System 3.4-88 3.4.12 Containment Isolation System 3.4-92 I 3.4.13 Control Room Complex Heating i
Ventilation and Air Conditioning 3.4-98 3.5 Human Factors 3.5-1 3.5.1 General Coments on the Human
- Factors Analysis 3.5-1
,. 3.5.2 Specific Coments 3.5-3 3.6 Failure Data -
3.6-1 h 3.6.1 Random Component Failure Rates 3.6-1 3.6.2 System Failure Probabilities 3.5 18
- l:
3 3.6.3 Conclusions 3.6-68
-i 3.7 Operating Experience Analysis '
3.7-1
,i - 3.7.1 rnitiating Events 3.7-2 j 3.7.2 Component Failures 3.7-6 3.7.3 Maintenance Data 3.7-7 t 3.7.4 Comon Cause Failure
, Parameters (Beta Factors) 3.7-8 3.7.5 Human Errors 3.7-10 g
3.7.6 Concluding Remarks 3.7-10 3.8 Analysis Codes 3.8-1 14 3.8.1 Data Analysis 3.8-1 i 3.8.2 External Events Analysis 3.8-2 3.8.3 Plant Model Analysis 3.8-3
.4 3.8.4 Accident Phenomena, j
Containment and Site Analysis 3.8-4 3.8.5 Concluding Remarks 3.8-6 3.9 Accident Sequences 3.9-1 L 'l ' 3.9.1 Review of Appendix H, l ; Section H.2.1
! 3.9.2 Review of Appendix Section H.22 3.9.3 3.9.3 Review of Section 11.1, j Core and Containment Response t
Analysis Overview 3.9-8 1
,-,-yi- - - - -,s. ,_---,,-.,- , .
.+
w,,y ,-- , ,,f _-w,. - - , , _ - - - , ,.,y-- , .,-,g ,,,----,e----
- __ - _ ____m ___
'1 i
, t TABLE OF CONTENTS (Continued)
{
].-
Title Pace Section i 3.9.4 Review of Section 11.5.3 Time Window Analysis 3.9-8 3.9.5 Review of Appendix B; Thermal-
' Hydraulic Analysis of Selected Accident Scenarios 3.9-8 3.9.5 References for Section 3.9 3.9-8 3.10 Dependencies 3.10-1
', 3.10.1 Review of Section 8, Dependent Failure Analysis 3.10-3 lr 3.10.2 Review of Section 4.3.1.4
' Connon Cause Initiating l 3.10-2 Events 3.10.3 Review of Section 4.3.4.2 3.10-5 Connon Cause Failure Rates 3.10.4 Review of Section 4.3.5 ~
Plant Model Analysis of l Dependent Failures 3.10-5
! 3.10.5 Review of Section 4.3.5 S patial Interaction Analysis 3.10-8 l >
, -- 3.10.6 Review of Section 6.3
'-. _,3
- Connon Cause Failure Parameters (Beta-factors) 3.10-8 3.10.7 Review of Appendix E . _
Support Materials for Spattai i Interaction Study 3.10-13 3.10.8 Conclusions 3.10-13 3.10.9 References for Section 3.10 3.10-14 4-1 4 EXTERNAL EVENT ANALYSIS 4.1 Seismic Events 4.1-1 3 4.1-1 4 - 4.1.1 Seismic Hazard
' 4.1.2 Seismic Hazard / Fragility Interface 4.1-37 L' 4.1.3 Seismic Fragility Assessment 4.1-51 ,1 4.1A-1 1
4.1A Consulting Report '} 4.2 Fire Events 4.2-1 1 4.2.1 Fire-Hazard Analysis 4.2-2 1 4.2.2 Fire-Propagation Analysis 4.2-5 j j 4.2.3 Plant and Systems Analysis 4.2-7
- j i
- 4.2.4 Concluding Remarks 4.2-8 O -
~
4.2.5 References for Section 4.2 4.2-9 li 4.3 Aircraft Crash Analysis 4.3-1
- J 4.4 Internal Floods 4.4-1 L<
4.5 External Flooding 4.5-1 l
- 4.5.1 Background 4.5-1 4.5.2 Flood Initiators 4.5-1 l' ..
4.5.3 Methodology 4.5-2 l j 4.5.4 Conclusions 4.5-4 l l
- - - - - - - - , - , - +-- -,- - - --,- - .y
- - - - - - - - - - -----m---
. _ _ _ _ _ _ . . . . . . ~ . . - - - - - - - - -
s t l TABLE OF CONTENTS (Continued)
._) .,.
Pace Section * *
~
4.6 Hazardous Chemicals and 1 Transportation Events 4.5-1 4.7 Wind Events 4.7-1 i : 4.7.1 Tornado Wind Hazard and j; l Frequency 4.7.2 Tornado Wind Fragility 4.7-1 l of Structures 4.7-2 4.7.3 Tornado Wind Initiated ; 1 Scenarios 4.7-3 i 4.7.4 Tornado Missile Hazard 2] and Frequency. 4.7-3 l1 j 4.7-6 i 4.7.5 Tornado Missile Fragility 4.7.6 Tornado Missile Initiated
! 4.7-6
' Scenarios
- 4.8 Turbine Missiles Hazard 4.8-1
( 4.8.2 Concluding Remarks 4.8-2 1' 5
SUMMARY
AND CONCLUSIONS 5-1 4 5.1 Problems and Omissions 5-2 5.2 Treatment of Uncertainty 54 5.3 Overall Evaluation of SSPSA 5-7 O
.1 I
f . s . o ., I
.- l .
J' ; ,I c . 0 e
..me se -
, 4 ,
e-+,q r >
1.0 EXECUTIVE
SUMMARY
3 Lawrence Livermore National Laburatory (LLNL) has conducted a review of the Seaorock Station Probabilistic Safety Assessment (SSPSA) [Ref.1] for the i Office of Nuclear Reactor Regulation (NRR) of the U.S. Nuclear Regulatory
~
.j Comission (NRC). This probabilistic risk assessment (PRA) was performed by a i ! contractor for Public Service of New Hampshire (PSNH) and Yankee Atomic l Electric Company (YAEC). The SSPSA, completed in Decemoer 1983, was ,provided i to the NRC "for its information" in January 1984. The review was performed by
- a project team composed of personnel from LLNL staff, subcontractors and
! consultants. The review began in June 1984 and was completed in December 1984 t
i I The objective of the project was to perform an expeditious and cost effective
; a.,
review of those aspects of the SSPSA leading to estimates of the frequencies i of each plant damage state and their associated uncertainties and to determine the accuracy of those estimates. The SSPSA results for core melt probabilities wre 1.6E 4 per reactor year (RY) for internal events and 1
]
6.2E-5/RY for external events, for a total of 2.3E-4/RY. External events were dominated by contributions of 2.9E-5/RY from seismic events and 2.6E-5/RY for fi res. The scope of the review did not include a review of containment j response or offsite consequences nor extensive requantification.
-)I d l I ,
The review process included one site visit, and one meeting with the plant
~
i
' owner (PSNH) held during the site visit. No meetings were held with 1 contractors or consultants to PSNP, and the extent of formal and informal communications with PSNH was essentially nil. Although a set of detailed 1-1
'J '
questions concerning material presented in the SSPSA was submitted to PSNH, no R. 1 < - response was received. There is no doubt that the general lack of cooperation
- .j
, by PSNH witn our review effort was largely due to the current nature of
.?
- serious financial preolems the utility was facing at the time and the
', relationship of these proolems to the Seabrook Station. This lack of coop'eration nevertheless significantly complicated and hindered the review
..i ; Lj process and made it impossible to reach meaningful conclusions in several l t areas of the review.
- ).! ;
The review covered all major areas of tne plant analysis and evaluation in the' 9 , , q 1 'I SSPSA. This included initiating events, event trees, success criteria (for 1 functions and systems), fault trees, human factors, component and operating experience data and the treatment of uncertainty. The review of external 1 4 . events included earthquakes, fires, external and internal flooding, extreme (J d winds, aircraft accidents, hazardous materials, and turbine missiles. The _) review effort expended in these areas varied significantly, both because of
~ .I the extent and detail of the analyses presented in the SSPSA and because of
- l
; the relative importances of specific areas. In general, more effort was 9 ,
expended on those areas that were or had the potential of being significant 1
;j contributors to the frequency of core melt or to the various indices of public risk.
i
'.j The scope of the review included an examination of several issues of particular concern to the NRC, including: (1) reactor coolant pump seal
.1 failure during station blackout, (2) depletion of station batteries during Q
.i s,
1-2
* - - = * -.
-e.. wee e,- p .-a .
-i station blackout, (3) pressurized thermal shock, (.1) staa:a generator tuce
. 7, rupture with stuck-open secondary steam relief valves, (5) anticipatad
~
transients without scram, and (6) stuck-open safety / relief valve.
.d .
No significant omissions were found in terms of an overall contribucion to cae frequency of core melt. Several modeling errors were found that indicate an f.) j B~j j incomplete or different understanding of interactions between planc syste.ns or l , human beings (operators) and plant systems; these are oescribed .in the internal events section. Their significance could not be completely assessed. a
'h*
1 The principal qualitative and quantitative conclusions of this review are
,j
,t briefly described below in general terms. i l - 1.1 INTERNAL EVENTS 1 L ..;
~
The extent and type of internal event initiators and their treatment is
.: generally reasonable and consistent with those considered in other PRAs.
a ' A.h 9 The event tree models in most cases correctly represented the accident Lj L.j sequence phenomenology assumed in the SSPSA; however, we have identified several areas of disagreement with the assumed phenomenology. We are also u l.- concerned that the requirement to have each event on an event tree independent (j
- , of the others has resulted in large and very complex trees wnich are oifficult
<4 to follow and analyze, i.e., trees which are essentially inscrutable. In ht addition, the large numeer of sequences, on the order of 100 times as many as . ..j in previous PRAs, effectively fragmented many accident scenarios which could be simply described as single sequences into a large number of sequences, so 1-3 g- . - - . . . - - -
, .. . ... .~.
that the usefulness of the event tree sequences as a means to obtain
-' engineering insights was lost. Although many deficiencias in these trees are
,, described in the text of this report, it was not possible to evaluate the
, affect of most, primarily because of the complexity of the trees in ene SSMA ,
and their use of proprietary coces to perform the quantitative evaluations. It is not clear whether the extensive detail in the event trees was a i appropriately used in assessing the risk consequences because we did not perform a review of the consequence analysis. J The systems analysis is significantly different than any PRA which any of the reviewers had previously examined. The systems which were analysed were modeled with reliability block diagrams (R80s) instead of the more traditional fault trees. The R80s were constructed using a set of superccmponent blocks t The R80s were, in turn, used to develop logic expressions for system failure
! which are dependent on specific initiators, boundary conditions and system function; and these expressions were used to quantify the system l
, unavailabilities.
) Although the system models are reasonable in terms of representing the plant systems, the evaluation process in the SSPSA which uses the RBCS ultimately I
provides significantly less information than is needed to perform a thorough review of the complete analysis. In particular, the R80s were constructed as independent blocks which were quantified for various specific conditions. after which only the quantitative information was propagated in the analysis. Several important concerns are raised by the process: first, the analysis does not provide cut sets wnich represent sequences, so that important and 1..t
. e
i useful qualitative information is not provided; second, the use of the support
< m, states appears to place undue emphasis on the ability of the analyst to recognize dependencies, while it simultaneously makes it virtually impossible for the reviewer to verify that inter-system depenoencies received adequate treatment; third in spite of the fact that the systems models were found to contain many conservative assumptions, made principally to !?molify the analysis, these conservative assumptions in ecmcination with the support state evaluation process have the potential to mask important qualitative results.
The functional success criteria used in the SSPSA were generally found to be reasonable, with some exceptions. These criteria, however not clearly stated in many cases, included both conservative and optimistic examples and in general were not justified or adequately documented. I i >i The review of the failure rate data used in the SSPSA consisted of a comparison of the individual component fa1Ture rates with other sources and a review of system failure probabilities and unavailabilities'. The SSPSA 1
- provided failure values for components, but it described as proprietary and s
did not provide information regarding the derivation of the values, the sources of data, or adjustments to the source data. The proprietary material was not reviewed for this report. The data values presented were found to be reasonably consistent with other data sources available to the review. A comparison of system failure probabilities with other sources of similar data
; revealed tnat these values were reasonably consistent with the other sources, t
f 1-5
F .. .. . _ . _, .. Several discrepancies were found and examined, but they did not change the
'(D s. . overall results. The treat:nent of comon cause data left us with some concern because of the exclusion of passive components and the use of very low beta
. factors for scme components. Althougn rio instance was identifled that would significantly change the results, it was not possible to reach definitive i j conclusions in a few cases.
l The reviews of the use of operational experience in the SSPSA found that the i : j methodology used to develop a plant-specific data base was generally adequate and that it appears to have used a broad base of data sources. Although we have reservations about the proprietary nature of the actual data used in the analysis (which was not available to the review), the resultant data base appears to be generally acceptable. Two minor concerns are the use of nation-
.l , ...
wide data to estimate the frequency of loss of offsite power and the use of I
'~
only four categories to quantify the maintenance unavailabilities of all f components at the plant. 1 d , The more than 20 computer codes used in the SSPSA generally appear to be
-) adequate and appropriate for the analysis.
4
- A review of severe accident progression methods and assumptions used in the SSPSA identified numerous minor discrepancies but none wnich appear to have the potential to significantly change the results.
Consideration and treatment of dependencies and comon cause failures in the SSPSA were evaluated in the review in three categories: c:mmon cause initiating events, intersystem dependencies, and intercomponent Pe 1-6
dependencies. The methodology used in the analysis appears reasonaDie and n appropriate. No important omissions in the treatment of dependencies were identified by the review. Concerns regarding the treatment of common cause failures and the use of beta factors do not appear to have significant effec s on the results. The quantification process used in the SSPSA is the matrix formalism methodology developed by Pickard, Lowe ard Garrick, Inc. i 1.2 EXTERNAL EVENTS The external event types considere.: in the SSPSA are earthquakes, fires,
, aircraft accidents, internal and external flooding, hazardous materials,
.. , extreme winds, and turoine missiles.
( 1 i The methodologies used in the detailed assessments are generally reasonable
, and consistant with the state-of-the-art; however, there are notable ., i disagreements in several areas. More detail is provided below for the various 4
i event types. i 1.2.1 EARTHCUAKES { 1.2.1.1 SE!SMIC HAZARD The metnodology used in the evaluation of the frequency of the seismic ha:ard at Seabrook is consistent with the state-of-the-art of comercial PRAs.
/'a However, we disagree with numerous applications of the methodology in the
- 1-1
. . . . . . . . . , .r...... , , . . . . . .
- T *- . . - . ...----
- - _ _ , ,,,_ ,_ -- -w- - - - - - ---,- -- - -,- - +--
SSPSA. In particular, the assessment of alternative model hypotheses and tne m assignment of subjective probability weights is not adequately supported. The ad hoc procedure used to perform the uncertainty analysis failed to document the choices mace and the uncertainty assigned to key parameters in the analysis. A review of individual parameters in the analysis and a carparison with the interim Seismic Hazard Characterization Program lead us to f qualitatively conclude that the hazard analysis results may be optimistic and [ the uncertainty underestimated. The absence of a more complete and wil-documented uncertainty analysis leaves the seismic hazard results unsupported. f . t 1.2.1.2 SEISMIC FRAGILITY ( l . l The methodology used in the SSPSA for determining the seismic frag 111 ties is I appropriate and adequate to obtain a rational measure of the strength of structures and equipment. The methodology obtained capacity values based on j simple probabilistic models which used some data but currently rely heavily on engineering judgement. Based on a preliminary review of the results of the i SSPSA, the mean frequency of core melt value of 2.89E-5 per year appears to be q r high relative to the hazard curves used in the analysis. A quick check suggests that the central capacity of the core melt fragility curve appears to be somewhere between 0.50g and 0.70g. It seems on the low side. 4 A spot check of the calculations indicates that the capacities of the ke/ ccmponents at the SSE value are low. Using a ratio of the "95 - 5" value (i.e., the capacity corresponding to a 951 probacility of less than a' St 1-4
.. . . . . . . . . . , . _ .. ._ . . . . . . . . . . - . ~ - -
t . , , 6 rs . see . frequency of fatture) to the SSE value, ratios for Irey components at Seabrook m
' ./ are generally less than one while values for Limerick and Millstone are generally two or larger. Finally, comparing fragility parameter values of Seabrook and other PWRs (new and old), the capacity values of equipment , considered also appeared to be low for Seabrook. Based on experience with
~i
; past PRA reviews and the generally favorable impression of the plant we gained
'i during the site inspection, we Delieve that the cacacities of the dominant contributors should be reevaluated to determine wnether the capacities are 5 truly as low'as indicated. We are optimistic that the capacities will be found to be l'rger. a
\ ! 1.2.2 F'9ES The fire analysis performed for the SSPSA appears accurate and valid. The
(,), frequencies of the fire induced initiating event which include system ' failure
; i are reasonable. The contribution to core damage due to fires at the various
- locations analyzed fall within the range of those calculated from other fire 4
l assessments at nuclear power plants (IE-4 to 1E-7). About ils of the core M . melt frequency is due to the eight fire induced accident sequences that appear ,j in the top 43 contributors. t 4 i The methodology employed in the SSPSA for the evaluation of fires represents lj the state-of-the-art in fire risk analysis. We believe the screening process and the use of the 10CFR50 Appendix A fire evaluation identified all fire f areas deserving detailed analysis. The fire frequency estimates for the [ various compartments were determined using acceptable nothods and are (] reasonable. 1-9
. . .- . . . .. . . . . . . . . . ~ . , s .. y , . .-. . ~ -
. . ~ ~ + ~ * - - * ~ = . . -
The analysis of fire propagation for determining the loss of safety related (3 s functions is rigorous and explicit. The considerations of fire phenomena,
. material properties, fire detection and suppression, operator action, and .] .ticaeling uncertainty at eaca fire location were reasonaole. The conditional i
j , unavailability of systems due to fires appears to be accurate.
'l a
We have a concern, however, about the manner in wnich the fire incuced' j initiating events are processed through the plant matrix. It appears that I
- these initiating events, wnich already include component or system failures, I . are being incorrectly comoined with auxiliary and front-line event trees that have not explicitly considered these same failures.
. 1.2.3 AIRCRAFT CRASH l
t m . Air traffic due to several airports and landing facilities near the $eabrook l . site is analyzed in the SSPSA. Using statistics for a 10-yr period, inflight 1 crash rates per Mle flown ,were calculated for commercial air carriers, - general aviation aircraft, ar.d military aircraft. Frequencies of aircraft crashes ints the various structures of the plant were then calculated.
! i ., Three scenarios were judged to be important enough for quantification in the 1, -l' plant model: (1) crash of a large aircraft into containment, with a frequency of 1.21E-6 per year; (2) crasn into the control butiding, with a frequency of 1.39E-7 per year; and (3) crash into the primary auxiliary building, with a }'
frequency of 2.00E.7 per year. t i
. This an&Iysis is judged to be reasonable and acceptable.
i 1 10
1 l l 1.2.4 INTERNAL' FLOODING
}
The SSPSA treats internal ficoding primarily qualitatively, with a j quantitative anslysis performed for a turbine building and switchgear room , i 1 flood. The qualitative analyses consider all internal flood sourecs for each *
- I j defined location, including floods caused by fire protection equipment and
.j , sources from adjacent locations. In all these locations it was concluded that -i l the risk due to flooding was insignificant. , A flood in the turbine building was quantifled for three scenarios according to the postulated effects, as follow: (1) loss of offsite power, with a
.i frequency of 3.2E-4 per year; (2) loss of offsite power and bus ES, with a frequency .of 2.5E-6 per year; (3) loss of offsite power and. busses E5 and E6,
( . with a frequency of 8.5E-8 per year. These frequencies were then input to the full risk model quantification. a * $ The quantification of the tureine building flood appears to be reasonable and 2 adequate. The qualitative treatment of flooding in other locations is 3 , adequate.
- ! a
- $ i 1.2.5 EXTERNAL FLOOD d
?;
l The assessment of external flooding consists of a qualitative screening of i potential sources of flooding and a point estimate assessment of flood
'b frequencies and core melt. A formal probabilistic analysis of external flood (s hazard or of plant systems response was not performed.
I 1-11 4
manien 4 The SSPSA concluded from a qualitative screening of the Seabecak F3AR that a
- 3 i probable maximts hurricane combined with a standard project stor a posed tne
- 1 greatest hazard to the plant. Based on subjectively e:;1 mated point estimates I,
of flood frequencies, it was concluded that flooding at the elevation of plant i structures, 21 feet MSL, has a median fre<1uency of l' s per year. The assumed N ! uncertainty on the frequency of flooding led to the conclusion that the 2: i i( l frequency of exceeding 21 feet MSL at the 95th percentile is SE-4.
]
A I Although the frequency of flooding at the plant site due to hurricane
, i Ni :
precipitation is believed to be conservative, the absence of a probabilistic
..l '
analysis that addresses all sources of flooding is considered to be a serious i 1 omission. The uncertainties in estimating tne frequency of extreme flood I
! events is believed to be much greater than that which was assumed.
i Conservative assumptions for the frequency of flooding indicate that the
~
contribution from this event is insignificant relative to other hazards. This conclusion, in the absence of a probabilistic analys.s. is judged inadequately ( justi fled. N;<j d i j 1.2.6 HAZARCOUS CHEMICALS AND TRANSp0RTATION EVENTS
.:{
d I di 1 j f' A qualitative and partially quantitative analysis was performed 11 the SSpSA to assess the potential for accident initiation due to industrial activities ij ' near the plant. Hazardous chemicals stored offsite or onsite were considered, 3 4 as well as gas pipeline accidents (judged insignificant) and onsite truck l crashes into the transmission lines. -v b i. ', 1-12 l i"
. .. . . , . . . _ .. . . . . . . m _.. . .- . .-. - - - - . . _ - .
t
The frequency of control room uninhabitability due to hazardous gas
'l infiltration is estimated at 7E-7 per yr and is considered an insignt ficant contributor to risk. The frequency of a nonrecoverable loss of offsite power M due to a truck crasn into the transmission lines was calculated at 2.76E.4 per ? yr. This was considered significant enough to be included as an initiating .d ;. . event in the plant model quantification. ;1
- f. l This analysis appears to be reasonable and acceptable.
.J q .
2I . 1.2.7 EXTREME WINO
-4 We conclude that the probability of damage to safety related equipment due to the effects of winc is on the orcer of IE-7 per year or less. This agrees
.. generally with the SSPSA, but' our basis is different. Although the SS.PSA addresses only tornado initiated scenarios, the safety-related structures were l conservatively designed for a wind speed of 360 mph, so that the effects of hurricanes and other types of wind are implicitly included.
,1 5 i
;, We agree that wind hazard is not a significant external event.
.1
]
JJ. 1.2.8 TURBINE MISSILES b, None of the six turbine missile initiating events identified in the SSPSA N resulted in sequences that appear in the top 43 contributors to core melt or as a dominant contributor to any of the plant damage states. v 1 & ~
'i' .
.. . s i
I*I3 , lj
* , . ~ . . . . . . . . _
- s. . . . ..,..,...,.......r...._....-,-,
.-..-.;.-.~. , . ,
_ _ ~_ _ _ . _ _ . _ _ _ _ . _ . , . _ _ _ _ . . . _ . . _
Tne estimate for the probability of missile-generating turbine failures 8.3E-T
- 5, is c:mparable to the recomended value,1E-4, given in NRC Regulatory Guide i
1.115. The mean values of the turbine missile initiating event frequencies
, range fecm 8.3E-5 to 1.27E-8 and account for main steam line breaks, control l room failures, loss of condensor vacuum, large LOCA, loss of condensate n.
M , storage tank and loss of primary component cooling. t , b Our qualitative review concludes that turoine missiles are not a dominant.
~
,.,{ d j contributor to cone melt or plant risk due to their low frequencies.
- 4 i 1.3 References for Chapter 1 I
- 1. SSPSA
". }'
.e SD
! t
'I Y.
s.
- t h
- (< . -
p e q G 1 Di , 4 d 1-14 e
a
'i g
2.0 INTRODUCTION
3 !
! Lawrence Livermore National Lacoratory (LLNL) Has conducted a review of the i >
- j .
Seabrcon Station Probabilistic Safety Assessment (SSPSA) [Ref. 13 for the 3 office of Nuclear Reactor Regulation (NRR) of the Nuclear Regulatory
- l l Comudssion (NRC). This project is one of several in a larger NRR dj probacilistic risk assessment (PRA) review program in which a cor.arenensive .
review and evaluation is given to PRAs submitted to the NRC by license N applicants and licensees. A 1 . 4 1 ' i 2.1 Background j .
'i ,; The roots of the PRA review program lie in tne interest expressed in April 'i 1980 by tne Commissioners of tne NRC in determining if there were any 1
1 candidates for special risk studies at plant sites which may be risk l r! . i d outliers. The staff performed limited generic risk analyses for plant sites II '!
- witnin the U.S. based on (1) weignted population density withi'n a 30 mile J
J : boundary about the site, (2) plant power level, and (3) stage of construction. Three plant sites (Zion, Indian Point, and Limerick) were found j-j to have a weignted density factor 10 to 15 times higner than ne median (SECY-a {
,] j 81-25) (Ref. 23. The NRC required these plants to perform a PRA. Seabrook is
] one of eignt plant sites found to have a slightly lower weignted density ql3. '
+ factor (4 to 8 times the median). Altnough the NRC did not require that a PRA
.4 be performed for this plant, one was requested by the State of New
. Hampsni re. It was performed by a contractor for Puolic Service of New n
Hampsnire (PSNH), the plant operator, and Yankee Atomic Electric Company (YAEC), a part owner. The PRA was completed in Decencer 1983 and provided to ,j ! { 2-1 4
- . . _ . . . _ - _ ~ - - _ . . , . . . . _ _ _ ..__,._,y_._ , _ _ _ _ . , , . _ , _ _ . , , _ . . _ _ , . , _ _ , . , _ , _ , . , _ _ , . _ _ . _ _ _ _ _ , _ - _ _ - _ _ _
~ I l
t
-l
{ q the NRC "for its information" in January 1984
- s
; . 2.2 Scope Q
The objective of tnis project was to perform a review of those aspects of the SSPSA leading to the estimates of the frequencies of each plant damage state 1 0 and the associated uncertainty spread to determine the accuracy of tnese l G l estimates. The review covered methodology, assumptions, data, information A n
} { sources, models, plant understanding, completeness of tne analysis, and otner q areas where inconsistencies could affect the qualitative and quantitative N ' '
results. The scope of the analysis did not include extansive reevaluation or requantification of plant damage state frequencies, nor a review of :ne containment .esponse or consequence analysis included in the SSPSA.
~
C 2.3 Review Assumptions j
] ,
The review philosopny on this subject was simple and st'raigntforward, and
. 4 applied througnout the review. Our approach was to examine the models and *}3 1 a data in the SSPSA with respect to appropriate selection and apo11 cation, and T' proper execution, and to determine whether or not any validation was .] .
required. We assumed that the use of standard computer codes, data sources. 4 * ,9 , system modeling tecnniques, human factors information, etc, was acceptaole and Di
. did not require validation except for the specific application (s) in the 9 i analysis. We similarly assumed that the execution of a particular application i / j was acceptable if it generally conformed with previous work in the PRA arena
- 1. that had received peer review. Conversely, if the enoice of model(s) or data,
(] or the application to a particular problem, or the manner of execution was new 2-2
, . . . . _ ... ,- .-.. _ ,,m.....- _ . . . . .. . . . . . .
q and/or different than previously observed, and it was not obviously correct, we did not accept the new data or approacn unless appropriate justification
. was provided or tne justification was known to, and could be provided by us.
i A specific area wortny of note is that we did not assume, a priori, that the
'J }
4 application of a conservative, or very conservative approach necessarily
! provided an acceptable result. Althougn it is often assumed tnat this is not only a correct approach, but one where the analysis is conciously accepting a
[] l; self-imposed penalty, we do not accept tnis argument. We would agree enat 4 many, if not most cases in whien tne conservative selection of general
- d. approacn, model, or data leads to acceptably conservative results; newever.
l j the object of $ PRA is to identify the dominant contributors to core melt, or i to some other risk index, and the selection of excessively conservative models or data may produce results, especially qualitative results, that are
.- ~
essentially incorrect. This can occur because components, systems, or even i accident sequences are effectively promoted in relative importance so that
] eney may mask important results. If realistic models are used, the problem i
does not exist, and both the qualitative and quantitative results would be ( , easier to evaluate in terms of NRC concerns with public safety and in terms of the utility's use of the results for both public safety and plant reliacility i considerations.
?.: !
e t Y - 1 This is not to say that we take issue with the concept of screening
.:1 evaluations, or the use of conservative models or data to simplify and make ]i tractabid wnat is already a very complex analysis. The point is tnat the ij s
j cnotce of conservative assumptions in the analysis with respect to models and i data in a PRA must be made witn care, so that the results are not thereby 2-3 l . . . . . - , . . . . . . .. . .. .-. t-
i e
; q distorted in such a manner that important insignts are lost due to incorrect identification of dominant contributors.
- 2. 4
- ) 2.4 Sumary of Results Presented in the SSPSA
't ;
1 : l The content of this section is intended to provide a concise description of 1 3) the results presented in the SSPSA, witnout comment or elaboration, i .e., from
}'
f.g the perspective of PSNH. We intentionally drew neavily from the text of tne 3} g i SSPSA as a means of maintaining'tnis perspective, and many brief quotes and J near-quotes from the SSPSA are included in the material presented here, along
?? I d !- witn tables and figures from that report. As a consequence, tnis section may 1
1
- appear to lack development of important points or subjects. The section is
- n
, organized with all of tne text preceeding tne tantes and figures. -
!.O The reader is cautioned to use the information in this section with care, and to refer to the SSPSA for additional detail, particularly to SSPSA Sections 4' :
2.3 and 2.4 We also note that this summary is provided here only as a ,1 - ,d convenience to the reader and that it is not intenied to replace the sumary Y information presented in ene SSPSA.
"J q
J: i
*!i n
'd . L. l e. t ,g e l- . \' .-
. b i
24 t mes. eea .. e e e ee e *
~
. ......_.._e.__... . . _ _ . . . . .. . . - - . ..... _ _
- . . -. .._ ... . _ = . . . _ _ . - _ _ - - _ _ _ - - . - _ _ _ _
~ . .
?? "! 2.4.1 Questions Answered by the PRA SSPSA =) p The three questions listed below provide a structure for the analytical work j j of the SSPSA and a framework for organizing the numerical results. [! A 1 s o What is the likelihood of core melt? li;;l I o What is the likelihood of release of radioactive natarials as a function
.t) i jA '
of release magnitude?
'j '
o What is the likelihood of damage to public health and property as a I 1 function of tne level of damage? i The answers to these questions developed in the SSPSA are briefly described in {) Section 2.4.3. herein. - i - 'i j 2.4.2 What was Considered in the Analysis r; 2.4.2.1 Initiating Events W. Ti d
- ; The SPRA included consideration and quantification of the 58 initiating events A i .
1 4
.' listed in Table 2-1. The taale includes the code designator used for each initiator in the study.
s #
).
2.4.2.2 Plant Damage States The SSPSA considered 39 plant damage states in the risk mocel . These POSs are ([' , 25
~
i",
- ~ ~
3
- listed and defined in Table 2-2a. Their relationships to one another are ej _ { '
q
1 etc., and tnat tnis result is probably independent of the uncertainties in the
.I Il7 calculation of nuclear accident risks.
d i J
- ) 2.4.3.4.4 Comparison to NRC's Provisional Safety Goals 3
Sl
- 4 hj A comparison to NRC's provisional safety goals is presented in Taole 2-6. As
- 1 1
- can be seen in tnis table, the risk of early fatalities to the 4,435 11 J individuals within 1 mile of the plant was found to be a factor of between 5 d
7d and 5 below the individual risk goal, and the 4.2 million people witnin 50
)1 ej miles of tne plant were found to have an individual risk of latent cancer l fatality more than two orders of magnitude below the societal risk goal. Note that the values calculated in Table 2-6 for Seabrook Station are mean values. The mean values are used to obtain tne best maten with tne statement
( 2-14 9
. . . - . . . - . . . . . - . . . . . - - . - . --. ~
-, - - . . - . - , - . + - - - , - . - - - - - - - , - - , - , - , - r .- ,- -
.-- ,-v---,,--,..-.----e-~ --
l ] 1
, of tne risk goals in column 5. Unlike the median values, the mean values are 3
significantly influenced (increased) by the uncertainties that were l
,. j
~
quantified. u .] With regard to the core melt frequency design objective, the results of tnis the SSPSA of 1.9E-4 events per reactor yeat- (median) are within a f actor of d
?.j ; two of the design objective. The use of median values for this core melt M
Q frequency comparison has been suggested by the NRC for the trial use of the
?j safety goals.' In view of the facts that the Seabrook results include
- )
jj contributions from a full spectrum of external events and that the NRC nas 9 J indicated that care should be taken in the apportionment of external events to
-i :ne design objective, the SSPSA results are viewed as comparing favorably witn
[5 the design objective. If the contributions from seismic events, fires, and , 1 m other external events were not included, the SSPSA results for the median core (, . melt frequency would have been about 1.3E-4 events per reactoc year. In IMhtc s i of the underlying uncertainties, there is not a significant difference between 7;j -; 1.3E-4 and 1.0E-4 events per reactor year. L, 4 I 2.4.4 Key Findings and Insights
!}, .
8 41 1 ; In general, insights from the PRA are presented in the SSPSA Sunnary Report,
.} l 0d, f beginning on page 17. A listing of insights believed to be important is
't I provided below, in the words of tne reviewers.
; o Risks are low, but the core melt probability is higher than the proposed i
, . safety goal. ( o A very large numoer of sequences contribute to the total core melt probability. The single most dominant sequence contributes less tnan 15% of tne total, and tne top 27 sequences contribute just over half to tne 2-15
- p. .- . . .
, -__r. -, _,,., . . - _ _ _ _ - ,
----__-------r,w-,m. , ,
i
. total.
O e o The V-sequence accident totally dominates the risk of early fatali-ies. o External events are not important risk contributors (this result is not j ., consistent with other recent PRA results: Zion, Indian Point, Oconee g (NSAC/ utility assessment), Millstone Unit 3). f) o The most irportant initiating event in terms of core. melt probability is
.3 JI loss of off-site power.
,:i e; ?. . W
-I .i O
e 6 n 6 ,'$
;n m
Yg h
- i) .;
.1 1-t
't _
I
,.~
i 2-15
~
l
-. ,..~. . - . .--.%.- _.. =_ . i. e. . - - * - - - - - - - . - - - ~ ~ * * - -
c
_,. . . ._ ._ . .. .._ , 1 l s 1 2.5 References for Chaoter 2 4 1
.s' -; 1. SSPSA f ;j 2. SECY-81-25 ?! ;
q . N >t I 3. CONAES Repor*. >J 4
-2
- g a
. .',I .,9 1 .,] 'a- ,
$.**g ,
'% d i
4}. ,
..t l i
d) P ,9 I
>1 ]. ,4 4
h T.I ft )4
's .
d i e
.? %d 4
9 i 2-17 t
= = e-e. g ._ e.4_. ,p .-we,e== e N-==v-pe - o- = *- e m e + 3- e f ** * = e v-y ep, o g
TABLE 2-T. INITIATING EVENTS SELECTED FOR QUNITIFICATION OF THE SEABROOK STATION RISK MODEL A, Initiating Event Categories Selected Code Group for Separate Quantification Designator
! e Loss of Coolant 1. Excessive LOCA ELOCA !! Inventary 2. Large LOCA LLOCA
- j -
- 3. Medit m LOCA MLOCA y 4. Small LOCA SLOCA
. .: 5. Interfacing Systems LOCA V .j 6. Steau Generator Tube Rupture SGTR
- I o e General 7. Reactor Trip RT
) Iransients 8. Turbine Trip TT
- 9. Total Main Feedwater Loss TLMFW
/ 10. Partial Main Feedwater Less PLMFW Q 11. Excessive Feedwater Flow EXFW
- 12. Loss of Condenser Vacuum LCY J]
,i 13. Clo ure of One Hafn Steam
! Isolation Valve (MSIV) IMSIV i 14. Closure of All MSIVs AMSIY ]a 15. Core Power Excursion
- 16. Loss of Primary Flow CPEXC LOPF.
-l s,, 17. Steam Line Break Inside Containment SL3I i 18. Steam Line Break Outside Containment SLB0
- 19. Main Steam Relief Valve opening - MSRV l 20. Inadvertent Safety Injection SI i
r-
. e Connon Cause Init1ating j!
Events
.M Q - Support 21. Loss of Offsite Power LOSP
? System Faults 22. Loss of One DC Bus . L1DC
'lI : 23. Total. Loss of Service Water LO5W d 24. Total Loss of Component Cooling LPCC 8
Water (.:.i
- Seismic 25. 0.7g Seismic LOCA E.7L st
.. Events 26. 1.0g Seismic LOCA' E1.0L i 27. 0.2g Seismic Loss of Offsite Power E.2T i 28. 0.3g Seismic Loss of.0ffsite Power E.3T i, 29. 0.4g Seismic Loss of offsite Power E.4T
- 30. C.5g Seismic Loss of Offsite Power- E.5T t 31. 0.7g Seismic Loss of Offsite Power E.7T
'i 32. 1.0g Seismic Loss of Offsite Power E1.0T
(
. 2-18
~ ~-
TABLE 2-1. (c::ntinuad) G J r Initiating ' it Categories Selected C:de
., guP for Separaca Quantification Designatcr g
- 33. Cahie Spreading Roca - PCC Loss FIRCC l . - Fires
- 34. Cahie Spreading Room - AC Power Loss FSRAC fl -
- 35. Control Room - PCC Loss FCRCC i
'q FCRSW - 36. Control Room - Service Watar Loss FCRAC ~'
- 37. Control Room - AC Power Loss
' - 38. Electrical Tunnel 1 FET1
- 39. Electrical TunneT I FETZ
- 40. PCC Area FPCC I
i 41. Turbine Building - Loss of Offsita PTBLP d - Power ll -1NSL3 1 -
- Turbinet -
- 42. Steam Line Break
- 43. Large LOCA TMLL l Missile TMLCY l 44. Loss of Condenser Yacuum
- 45. Control Room Impact TMC2
- 46. Condensata Storage Tank Impact TMCST
- 47. Loss of PCC TNPCC g.
MELF
! - Tornado 48. Loss of Offsite Power and One -
,~ Missile 01essi Generator
- 49. Loss of PCC . .9CC
- 50. Control Room Impact MCR
,7
- 8 51. Containment Impact APC 7 - Aircraft Crash 52. Control Room Impact ACR
$3. Primary Auxiliary Building Impact APAS L]j a ,
- Flooding 54. Loss of Offsita Power FLL?
3 55. Loss of Offsite Power and Q q . One Switchgear Room FL1SG
. ..; 56. Loss of Offsite Power and
- Two Switchgear Rooms FL2SG 2
- 57. Loss of Offsita Power and Servica
.] .j.
Water Pumps PLSW
'l3-
- Others 58. Truck Crash into Transmission Lines TCTL
.i 0
l 2-19
i ...
- I I TA8t.E 2-2a. OEFINITION OF PLANT DAMAGE STATES USED' IN
, SEABROOK STATION RISK MODEL
,O C:nditions at T!ae of seactar
- l ! N
Vessel Nit-Through h qs Cantainment Candttfee
,!i !
State Yessel Care
.< Cace Tfu p7,,,,,, g,,4gy ,
"r e cry Isolated. No Sprays, se Nest assevel
;; - In Early Low IF tarfy Las 3ry typassed. Large Seeming. No F11tratten I ,
- lyF Early Las Dry Bypassed. Seell Opening. No Filtraties
- Early Law Ory Atreraft Crash , Na Filtratfee IFA
*3 Carly Las Vet Isolated. Sprays. Nest teneval l IA f Vet Isolated. Sprays, No Nest Reeve!
j~ 2E Early Law i ' Early Lau Met Iselsted. No Sprays. No Neat Reesva! 23 ]q ,i 2 Early Law Vet typassed.,targe Opening. Flitratfee l
- tarly Wet Bypassed. Large Opening. Me Flitratten i .F Law NP Early Lam Wet Sypassed. Ses11 Opening. No Flitraties y ,
I 2FA tarly Law Vet Afrcraft Crash No Flitratfee
- d. .
Early Nigh Dry fselated, No Sprays. No Neat Removal 23
! Bypassed. Large Cpening. No Ff1trasfee tarly Nigh Cry i
l 3F :FP tarly Nign Dry Spassed. Ses11 Opening. No Fittration l 4A tarly Nigh Vet Isstated. Sprays. Heat Renoval AC tarly Nigh Vet Iselated. Sprays, Ne West Ienewal O = t-tF NT. = t-tand. = wrs. = = =e-> f i tarly Nfgh uet Bypassed. Large Opening. Flitratten 4E <j j 3st Bypassed. Large Opening. No Flitration
. t .
W tarly Nigh '~? wp tarly Nigh Vet Bypassed. Sell Openfog. No Filtration
- - sa Late Law vet tsetated. Spesys. Most Renevnt (su Isolated. Sprays.' No Nea's temeval E ' Late 3et
~
> ED Late Las Vet Isefated. Se Sprays. No Nest Resevei P'. 4 EE Late Lee Wet Sypassed. Large Opening. Flitration g
typassed.Largefopening.NoFlitration F Late Law vet 1 ! Late Law 7et typassed. Sea.1T Opening. No Filtration
! *) . l WP WA Late Lee 3et Afreraft Crash l3e Flitratise d ,
,I Isolated..No Israys. No Neat Reevat j ;
75 7F Late Late Nip Nigh
- Ory Ory . Eypassed. LargeI0pening. se Flitration h ' Ory typassed. 'Senil Opening. se F1f tration Late Nigh
] 7FP Late Nigh Vet tseisted. Sprays. Nest teenval IA ] .
E Late Nigh Wet Isefated. Sprays se Heat teneval y , I 40 Late Nigh . Met Isolated. Se Sprays. No Neat Reenval r
' at late Mfgk Wet typassed. Large Opening. Flitration ' 'I F Late Nigh Vet typassed. Large Opening, se Flitration Ep Late Nigh Vet typassed. Sealf Opening. Me Flitration j ,
1A ' W "888** I8#37 *** I'"' ' I I foecial States for 5ttas (' Sypassed. Serays. Me Heat tereval
. IC : :enerator fuse Rusture S o .ssed. ,a strays. = 4. a tene.at j in py,:r;r,,;=,;aa"='aa i 2-20
-- -- - -- -- -.-.... .. -- - . . . J .. . , . . . , _ . . . . _ . . , . .. _ ,_ . , , ,
w---- ,-_-- - ,- y-- - _ m- _y .,,,,,y.+, -
-,.y .-y. 9--,y- _ - - - ,, -.w m.p. -y-,_,m_ .-,, . , , ,. - -
- - - = - - - - - - - - . . . . . :. . . . .. _
l . i f. g
,9
.'. g!!
g a s sg s j .4 g @ @ se @ @@ @! & w[ . . .~ l Mkh rN.I ,YY $:Yb $'h $C.N j _ o a e er a
.:i, @ @ @ @ @ @ @ M
- 1 : n i !.g-@.
4r
;- m s g e 1 e
a 8 e . m :: I ' s- ! ! I!c@@ ! @ @ H @ @ @ $s -
"i la 51 o a . m
- , ,e y
g . *.:~g, w .z vt 4 Q - Q .
$hy,7 3 3
E 3 !* D $E 3$
.}
/ I s@ M
. tyst:,
e y .
.y - ,
e a i : i< * @ @ @ .g i @ @ @@ u
!a
- e. . -
isg o - w 1 I i i !ldli" @ @ l l
. g
. j.!
.k
> " o 3 E -
e.
- 2
- 4 g $5
! E ..
g k s 1 E5
~ ,1 C
w we ,.I E 5 E I E I. E E c Ig: g pj i .g
~
g!,, ;j i ! 't i a i a i i gi
.2 wi ~
gs o g- 4
.s 3; i
lgII
~
a .
- I ti
- 1
!g a
- I. i l'
'11
; a ...
2> I,.>, - {a;
=
13 es ii *: llI Ei_ - . -ave !. .i.
. =ji 5a 8:3 3
w. 1 4
- - - - . - - 7.71
?
TABL:.2 3. RELEASE CATEGORIES EMPLOYED IN THE SEA 8R00K STATION RISK MODEL 9 ** 6
- Release Category Release Definition l
, Group Category ~;
l
. 55 Containment intact / isolated with enclosure air .
Containment handling filtration working.
. . Intact / Isolated A
; SS Same as 55 but with enclosure air handling
'., filtration not working. fi ! q , j > 52 Early containment leakage with late overpres-t - surization failure and containment building
} sprays working.
i t Tl Same as.52, but with containment building spray
; not working.
i UY. Same as TI, but with an additional vaporization I component of the source tarm.
~
Long Tenn S3 Late overpressurization failure of the contain-O
~
Contai - nt =aat with na aarix 1**kas* and ==ntainment Failure buiTding sprays working. I, ; E Same as S3, but with containment building sprays t : not working.
,1 .l T3V Same as U, but with an additional vaporization component of the source term.
T- ].1 TOI Containment basemat melt-through with contain-ment building sprays not working and additienal I;j vaporization component of the source tam. n ' Jj
.-{ : 56 Containment bypass or isolation failure with .
, i containment building sprays working.
'i j .j To9f Same as 56, but with containment building 21 Early sprays not working and an additional vapori-Containment zation component of the source term.
Failure / Bypass
! Early containment failure due to steam explosion 51
, or hydrogen burn with centainment building i sprays working.
~ t--'
E Saee as 51, but with containment building scrays . not working. l' s 2-22
. . . . _ _ _. . . - . . _ , , .w. . .. _ . . . . - .- .
~ .. . .. .. .
t b, i . i
.e . -
,s....
.. =
,. . . ... . . . . s . t? .
I ;
. .c 3 *2. 333 3 3 2 33 3 37 3 e
4 1, t
. mw w -
3
. s....I .
3 .
.... 3
- 4 . . . . . . . .
3 .
+
-d w . . .. ., ..
>- 4 o .
3 ,.. 3 ., 3
,! < w .. ..
.e w .a w i4:(
>. m . .. . .. ., , . ."..
id = w 3 . 3 .. . . 3 . 3 y
-i 1
,w
< v. .
,e 3 .,.
. 3.
3. J
, wa g g l g
.m w ,- . . . .
in * . . ..
.c .a .e . . .,., . .. .
, w . . . .
- m. . . .
3 , . . t
< w ma a I W -
1 . e
- o. w b e . ..
1 . T .
. 1 (4
W 3 ** 233
% 3 . ..,
3 3 3 3 2. 3 33,3 3 3 3 3 3 f e ac . . . .
> o . ... ., . . .
.e.. .. ...
. .w .........
............ .e Em u
! o . . . . . .. . . .m
; ww 3 ..
. 3 . .
C . e I. . . m< ;= 3 . . 3 .
.3 .
. 3 .a
. . .. , , . a
>c y . ..., .
. w . ..... . . . .. ... . . . . . . .. . .... . . .. ............
mw . .- . . . ... . .. , ,,a. w 3.c . aw . . . . . . . -Q
- u. w 3 3 3.,3 .
233 3 3 3. 3 2 33 333 3 33 3 3m
. .c . ,, . ... ,
.,. 3, .
g- ,.. ,. . . ............
.% 3. . ............ %,
1 * ' ,
- a. ,
N M w
, 93
,~ w.a a 25-w 33 .,
. 3 .
m 3... J.
-1 4
i.
> w. .
=.
W e t.. .
. . .. ... . t . . . .. ... . ..
. . . g, 6 3 32 233 3 3, 3 3 2. 3 333 3, 3, 33 3 3 3 .
. . . . . . e . &
=
e.......s.... . g
..e s... .. ..... .......e
- G 4
v.
..*. ... .. ... eee .. .... g e
g
..*e.ee.e
..=. ..
.me.e e a v.
e .. e. e .=e= 3.... I.. z.... . ... 3 g
....... . .d.
#b WO .==..a
.we.mem.w.
==...... .....
mwemmewwmemme .
...ea . ....
www.==wwwww
....... =.
....... a 4
g C"I eu
-w
*J 4 X 4J .
2-23 _ . . . . . _ . - . . . . .. . . .. . .~
. . . ~ . . . . . ..s
.-..w.. .w n. _ .. .
. . ~ . ,
_ mm _ _ _, _ _ . . . . _ _ _ _ _ . _ _ _ . _ _. _ ._ . ._ s . . . . . . , . . . . . .
.'~\.
6
. .o.. ... . - ..ee ..e. . .
.e .e e e e
.e....e . - . e. e. e .. e e .
e.e.t. - - .e. e. e. e. e. e e 3 ,....
- ~. ~. .
. e. . . .-- e e
e ....
. .e .
.e
.... ~.e. -
3 e....--........
. e -- e e
.e ... ..
..e .
e
,n "d
. ~
, . e. .
.. . .. c -~o .-
=~...e..~~-e-.. . .
eo .een meem . on m eeeeeeeeeeeee o
- ee. .e.. ...e . . ... .-e= .
. . e. ..e. e. ... .e. e. 7 T e. e. ? e. ... . ..e.T
.. To.77 ? e.
- .~
d l; . I
. .I I. .I I.II.I EII.I 2 e .
- e. .. . e. I Iee E . e X. ....I IIII I.II e. I. I.
I e l e I em m y e.
. . .e. .= m, m e ee-.
. . e. e.n g g ..m
. e. .= e . e. mg .e
. e. ......e=
em-
= = = e ne-e...m
- m. e. e. . =. a. m. e.e.
ee.e =. e eeeeeeeeeeeee e - J, p. . ee= .em. .... . . .ee =-e= e.=Im . e , e =.
. . . > _. . e. _ m. e. e. .w. . e.. e. m. e. e. s e. e. . . e. e. e. . e 3. e. . .- . . .. ...
....e 3
1 g e.. omm em..e .= =. =en e e e w
.em e*=
. w...
e.a .-e. e** m
- e
=
e w I. -. ,6 > 4 =. a. . . . e..e ***e ...a.g e .em m e.ee - = e qy e. ... . .=.=.e.e=.=
..ee-ee e.
.m e. . emomme e .m e e.p..e. m . .
. s, 3
< m e .m. ee ..m... . me. e
. . e
. e. . =
. . n ...e emeeeneseeeee m
. m. . . . . . . . .
Mv . eem .em. .... . m see =eem e=== . .
- t. .
w W e e = e m. n.
.. . a. 4 W g . e. e. . . e. e. e e. . e. e. =. e. e. e. s. e. o e. .
m .... .T
.gg. s e.. e. e ...
....w www w e =
.~,
1 g q g e a.e m e
- e. eeo= .e e ...
e .*~ .
-m es m m .e
= e o
1 g w .= 4 e= e..,. e .==. m ee= =.~~m .. e=*= .e e, ,e
- e. e e.
.d
.. t.a ,
Ha g gg w p g = m. . e. . =. m. .. e. .m. ..m. a. m mem=mme-m.m m.
, *= e.s. . ..
..ee-e
. . e. . .m.e....
em. e e .
- m. m ..............
egesegeeeeeee =
. J.
W g - .em. ...e e a e.. - e . .e ..== . e . == .m *e . M ._ g .e e = = s e e =
- e. e.
.. e. e.
e
- m. e. e.
e = . . .e . , , . <v e. e. e. =. e. e. e. e. s. =.
, a< .. ... .. .. ... ... . ., .,
.e ...
.- . e e. e o . ...
. .- . .- . e . .
-- w .e e. -
m L. u
. e~
~ e-oe o
e e ~.... .e .. e.~e
~ me~~
. e.
.. ~e.
e e e
.e
. .e
.e. .. < ~ . ~
.- a e . a. e. . .e . . . .m. ..n. o. . = = - ~ .... - ~ .o. . . . - ~ .. , . .
~.... .. e eeeee e a e . . e.. . . . .
j . ag, u
..*.= - e 3 1m. o me. .... .... . . eee .e.. .... . . .. .. , e .
t~ a w e. . e. e. .. .e. . e. e. e. e. e. o. e. . e. e. . . e. e. e. e. e. e. e. - e. .. ... .. ? ? e. 3.m
- w ww C 3e T.yr. 2233 e 327.~3 3 3 233 N332 3:33 3 e 3 e X. 3 3=2 3 = = g w w .. -...
e.e. e e =
=~e 3.~2 .=~e. .. . . .m e . . e .
,i w a a
. m e. ...
.e-
.......... .e....
.e e.
m
......e.e......
. , . ..e ..... ... ...
m
....... .... ee.ee.
--ee-a
.e -
85 , % .e. -e. * . .ee . . .. e e -. o 3 . .e.2 .. e. . 2 3 3 4 e e - e e e e . . .e ..
- e. e.. .
e e... 3 S. e. . .e.$. e. w . e.e..,. -,.. . . .. e . e.
.e .
6
..... . .e ee .g .. m.
3 .. e .e .
- 3. e. . e ga e. .e . .e 3
...e .e .,. .e .. . . an
... e. o .. .
eco. e e.
.e . . ,. .e e
. . . e. .e. -...,.,....e...
i
>- e. . . .
i
. w .
. e..... . . . . m. .... ,...e.=.. . e. .
.....e ...e . . ..
c e .. . ee eeeee E me. .... .... . . ee. .e . .... . .ee o se o
.'.' ww e. . . e. e. e. g. e. o. ...e. ,, e . . e. e. .. ... .? T T e. e. e. e. . e. e. e. e. .... .. o. . o. e.
O m 3 173 ==22 33== 3e 3 233 -. 3:3= 3:33 2 3 3:3 -..
==33 = ~
33n-
=. ] i
_.. >c w 3 .e . . < .~. 3 .e 8 e
... .e. . . . . ,
. .e .- 3 -.3 ,-..*-. 3 3 .e . ~. 2 .o. ,. ~..e
...e . - e . -
.c-
.g
.. w y
. .......e..,...e... .
= ,
.=.........e.e...e..
- e. e. . ..
. . . e e . e. . ..e..ee.
wx e ee.. e....e82 . e
. ee e.. .... . , ...
e ...
.. eeee = 13 as w . .. ..e e
.e.3 . =.. *. *. *me eeee q
.1'
.A e
a,y p e
-e.e.
e.-..ewee.... e .......
.Mee@.@
+ =.a=+=S=a e
.e p
e 46
=e* @...e.#Ie 4.m.e
==.I
- e. e. e.
e e I em e e
. e.e
=*. -.** eeee e
** e ...
..*a ee e
me. e. e. e e
.e..= .ee.eeen, ee von e**~ m.m.
.; ee 3 e.
- e. e m. ,
- e. e. =. . e. w e.m.
j . .e.m m. . . .ee. m. . . m. e e. ....e.. . . m. .. . ....e--
- m. o. . m. . ..e .. e...e,. . ~. e. . .s. m. . .m.
g g .. 4 i Ng .w .e
.h , ,,,,,,,,,,,,, , , ,,, ,,,, ,,,, , , ,,, ,,,, ,,,, , {
;q- mg d
- e. .. e. e. .. .. ... .e. . t e. s. e.
. e. . .. e. . m. e. e. t*.*.*.
=7 3
. ... . . . * . ? ? *. e. 7 g a,?D. Ew as 3 z;3.x=73233x3= * **= z.
3 e 23* =2:= 3
* - * - -
- 3 * *. , 3 e 3=2 x;=2 *ee = 3 3. =. 3
~~.. .
. e. e.. we . .. e- 3 ~ ~* .. . . e =.. =~ . ~
e.
. . . .m. .m=new.eme
=. . .. e.m..-
- e. e.e. . e. a.. .m.m.., ~....e
&u .
- e e. .w *
.... . e e. .ww. . .
. . M
'; i .... m. e. . m. y s{ , . am o . w = - e .
- e. g.
m o m e m e a e e mm , l-s .
==== .
===.= ee.
- e. e..
.. .m e . s. . .
......... .... .m e. e. s. O e e.ee ...e. 9 a ....
g Mb wq g
-%e
....z....
. .m .% .p-.. # % m .d .,
3 e 44
...r....
....d..4.*.A.MM..,
e
=
Mm
..m.m.
z. m .. . .e.g .e
- g d - .A D G
- p. w
(' NN av 3
' 2-24 I
--,e-=,
. - . - .#.. . - . - . .wg we .. . 7 w . . . . - - . . . - . == 5 m ..
4 -
. , - - - . , - - - . - - ,,.-___.,----.,n--..---- - . - - . - _ _ . - . _ . - - - - - - -
. .. u - : . . ~a :a , . .a .w.. :. . .. a . . . .. . . . ,
.. .-..-.. ..:._. . w w . a L e L .i w ~.
. . . . . . _ _ . . . . _ . .. . . m_...._.... . .
i f
- i b >
! I + i ii ; .$t
.i .I i
~l TABLE 2-Sa. CONTRIBUTION OF RELEASE CATEGORIES TO RISK OF EARLY FATALITIES Mueber 'of Early Fatalities > } B (percent contribution af release category) 1 10 100 1.000 10.000
{ W (98.98) M (98.8) N (99.4 ) N (99.4) 56T (99.5) 52V (0.92) EW (1.10) IN (0.52) 52v (0.49) St (0.25) 5T (0.24 ) i Others (< .1) Others (< .2) Others (< .1) Others (< .1) Others (0) . I. 9 l
,,"*a d ca 4.60-7 3.87-7 3.14-7 1.78-7 6.26-10 .
1; fE j NOTE: Exponential notation is 1Ddicated in abbreviated form; j 1.e. 4.60-7 = 4.60 x 10-1 ,
! 0921P110983
..' . ._. .i: .;
....-.u .. _4.L C .). w .i .. _ . _ . - - - . .:---..2._. .
.' . c. . . ..: _ .
t O O i i
$ i '
j i i
. TA8tE 2 -Sb. CONTRIBUTIONS OF RELEASE CATEGORIES i -
TO RISK OF LATENT CANdER FATALITIES - I 4 i . . . . .
,;l l . !
Number of 1.atent Cancer Fatalities i . l 1 10 100 1,000 10.000 100.000 I, i 5 W (43.8) 5 W (41.9) IW (31.7)
- 5W (51.2) 5W (44.8) S2Y (76.0) l 1 i .
l.' l ET (32.0) 5T (33.3) I W (30.3) 5W (17.1) 5W (35.5) 5W (22.4 ) + t i ! l '? 5N (12.3) 5 W (16.2) IT(28.2) ET (15.9) IT (9.55) } E i 5W (7.65)
~ , 5W (5.51) . 5W (5.73) T41 (4.82) 3~dV (11.9) 55 (4.07) I W (2.19) IF (4.11) j 5W (1.67 )
J Others (< 1.0) Others (< 1.0) Others (< 1.0) Others (< 4.0) 0$hers (< 3.0) Others (< 2.0) j [,'c"],"[],8I 1.45-4 1.10-4 5.04-5 8.15-6 4.32-7. 1.17-9 i il0TE: Exponential notatton is indicated in abbreviated form; 1.e.,1.45-4 = 1.45 x 10-4 l l i l l 1 .
! 0921P110983 i
I
. - _ . . ...:_ _. ,.__m u...s_,_,.___.
.3 , ,
. I '
i .-
. ( ,
) !
,' i l
l . i . i l i - TABLE 2-6. COMPARISON OF INDIVIDUAL AND SOCIETAL RISKS CALCULATED
' FOR SEABROOK STATION AGAINST NRC INTERIN SAFETV GOALS l
l Risk Nonnuclear Calculated NRC Risk SSPSA j
'- Fatality Risk in SSPSA* Goal Basis 8"" "I i
Component of Population Population (frequency of (frequency (percentof l l y RI* 688I 588"*"" factitty per person per year) of fatality per person nonnuclear risk)
""N"' '
tj j per yearl I 4,436 5.0 x 10-4 8.6 x 10-8 0.1% of Non. 0.0171
; Early Fatality 1 stia radius nuclear ,
!. Accidental I , Fatality Risk
.i 2.0 x 10-3 6.3 x 10-9 0.1% of Non, 0.00031 (
1.atent Cancer 60 mile radius 4,200,000 nuclear Cancer
~
'l Fatality 6
. Fatality Risk '
. i. .
l
*tlased on mean values of uncertainty distributions. !
i t : \ i i i . c 4 : i ;
- .i t.
t a d t
,. . . ~ .. . ..a . a a - . '.u c -
a R .:.a :LW .. - sw M wMa.w . ..:u. . . . .- ,
, t. .. - . . . - . .. . . .
ij - (n.
~~
e i *
't
' I. i
; i I
1 TABLE 2-7. i RESULTSOFHATRIXOPERATIO.N[;FREQUENCYOFOCCURRENCE l OF EACH RELEASE CATEGORY AS A RESUL. OF EACil PLANT DAMAGE STATE :
, i . . ,
4 I Plant i Damage Release Categories *
. State
- n i, o n .. nieu. .u.a. nuo. .n- n nuna -
.=au, unen anon
.. . .. .. .. .. ..nu.n .. .. . .n u..n ..n.............. .
i .. . u. 8. n.
..... .. .n
.. . n.u.e . . . .
. . .. . . .. .u.u 1
u n
. . . .n..
.. . .. .. n .n .
l
..n n.,n ..
.. n .. . .... ..un. n u .......... . . ........
a.
.. . i n. .... .. n.. .n .... n o. ..
.. i
- 1. . .o ..un..n ..
. n u.... ... ...
! m. n.
. .o n
m n u ..n..... .. ... .. 1.....
.... uo .a ...= . .. ..n u . ... . . . . . .
a~ .
..u....n u.
n .. ...i. .n..... .....n......
. . . ;l 11.lnu.. .....
. . ... .n . ..
8 i a.
.u in.n . .
.nn.. ..
. ...n...n i
-. .o.
. ....n..n..
. .. ...u a.n
....a...
1.. u . .....
- u. . 8 .......... . . .
...uu.......................n.....
, .? .
. . . .. ..... . n . . . . .. . u. a . . . .... .
.n u.n ........e.
1 n .
.... ..n
... n..n .
.. ....u...
.u
... .n.. .
..n .... . .u u .n . . .. ....n.. .. . . . . . .
l
- n. , .. .. .. ..
. . . . . . . .. . u u ... .
... u w .. ... .
.. . . ....u..
. ... . ..n.. ... . ... .. n .n ,...
)
=
,. . . .. . .. . . ...u..............
. n u..s . n ... . . . . .. . . ..
- 1 .. ..
- :. ..e ...
4 i , u . ..
.. . .. n .n .. .
.....u .. .. .. .
u u,
.. n u ...
.....u.....
u u.
..n .u.... .. ..
...o ..... .....n ... ... u.......u... ..n.u.n ..nn........u......uu. ,..... .....u.n.. ............,..n... .
l
- i f
;
- Plant damage state and release categories are defined in Tables 13.1-2 and 13.1-3, i ,
i respectively. ' I. 1 l l l
?
l
" O =D m g
g ag g .g gg g N '*O- N *BD - Mee 49 4 68 9 6mo e 4
.I 3 k
,~
'J
-t se
,8
%* 9 O
- w
.y ; >
(a SN
. en MN
-- - - - - w2 l W
- 4 i ? >c f-l l
~
I N> wm we
'] ==J J W a==
EM
. WC
~
+8 az
.-f
. 8 bs
? w=
m
.2 .a a e y>
.o 5m C E,~ mg
- r u 3- -
I I
>E-E t _m
-l S 3 E .J w sc*
- e a en me m m s2 1
W $$
- - E
'2
- e Jap :>= 8 2
y-j t 3c
<=
'b >>
m ac Wm
~3 .
. ., um
' hs
..-j 4
.a 8
MM
'., s== 4 9W
*e WM 3C u
34
!) L:3
- r. a ~
i W 1 e .6 h l
' Airprl:Altitev1Cvd
',.4.3
;l
.' e 1
*-% / e f) ,
i 2-29 f I i J g - - . . . .. , I e
' ' * * * ' * * + n ww o.r. m a = - e,- , - - -. . .
6m b s (" t,
?
en
~ - <,
; - I $ $ 4 .
W e j . W
~ 4
= .
>= m
_1 4>
- . O >=
4= 44 lll> === .
.- W CD i o .
4 3
* . U
' =X W Ca.
$ W WD t e
> 2m 7 g W >=
i
= - g e* <
+ . . -
u MJ
- r. , . < a y
- 1. _ i zmG
.E Ww e.e e z
.i
- EB -
} WQ w =
. .- > )eg
= = g
,- mmT
. Wm W
g I . a 5 ,5 -
- 1 58
>=$=
* - ====== .. 3 ""*
i i
. N-- -- -
25
=
$ "", l
- WW
- ' , . -m- 3 uss- MJ
- Tg e < *S =
'4 .
3 C e t * - M.i -
.t y a g:M c:.a .,* -
W s> ,.
=
g =
$ .m 3
=
*t
; e E4
.e { W >-
! .* - e. W (#1
-?
s .,
$w w n 1
' 3 0 eM
"
- n' *
.g g
* $ w<
J = sW <j - NM I 2 2 W
- ] -. E
= - -
3 W d 4 e e , t e a a a , = I
', -*
- e e a e AM tEV1CWd 193.v*.* red 3
] 2-30
..oo e w.,, ,e. .'..m-.,- . .. ~. . .. . . , . , ,
.. . . .. - .. .. . . . - . .- i I
1 1 l IT l t i i
<i
+ .
N 10 d - - a w i *
'3 d a
~ u C
'i < 104 - -
2 -
.e
, < a a =<
i E y
.C e i
4
*c W>
~
< u
. = g< tri -
0.ss .- l da x =
, ^
I
= 6 m
, 's. E (3
- O >
j > 2 -
~
M5 G i
, y.i<7 w
. s m
J; 0.50
.J
'.) ' 4 - 10 - 0.30 m. I 0.10 1 to*g I I N I l kl I 100 10 I 10 2 10 3 10 4 1E ACUTE FATAUTIES
-)
l
?
FIGURE 2 2a. RISK OF EARLY FATALITIES ( 2-31
...,.. .. - - . my ... . , .... %..
. - , . . . . . . - - ~
~ --
i
, . ,o-s 4 i i 4 to" - -
. a w
w a.& 4 ,. w a trs - -
,. x, =
. < w m
O g w u c w 0.95
=
< a i .i = w< tr* -
asa - . 1 . . . w w a u x w = I w & *
. = am -
o2w - E w
*t!
i 10"7 - - s -
,. 0.50 4 . 5 w
i, a? = i- a. . w !!. [k !
*\
' i -
- tr' a.ie -
. 4
' ,' .L 9
j aso ia-' n go t igt . ig 2 4 j to ic ig s EARt.Y INJURIES t FIGURE 2 2b. RISK OF INJURIES i (- . 2-32
, . , _ . . - . . _ , . . _ . _ _ _ _ . . - . . . .--__ - - . . ~ . . . .
--.___..---.ys . - - _ ._ _ _~ ,, ,_. __ _ . ___ -._,- ____ _ _.._._ _
... ~... . . . . .
O.. A 10 4 i i i
~
. !. tad -
. 0.98 a.so d 170
=
> 0.50 a -
w 10 5 - c.30 o
< c.to 3< *- G.05 og g >e
*o -
W
< to-8 -
1 - om .
=s
- 5 e . .
r 6
; w -
.z gg-7 i
b.
=
t a P! ~ 10~8 - 5
, , , < i to-' -
4 5g0 10 1 102 t$ t/ 18 a THYMCIO CANCEM CASES j . . 4 FIGURE 2-2c. RISK OF THYROID CNICER CASES I . , 2-33
._ se -gemum . en-* . .es....e=4. e . . . .
-i .
- , . . , - . - - . . . - - . . , . . , . _ , .. . . - .. -.: . ..e_ . -- - _ . . . . . .
4 i 4 L 10"* I 6 i . t l 4 9
* ~
l l 10 4.35
! : a o.so '
w ' w 0.7o
= a.so
, o .
< o.:1o -
2 10 5 _ e jg, 0.10 i
+ s$
C> de zo 40
$$ir8 um i, us
) *g t .
C_. cig i hz Es - gw.to-7 -
=
a i. 1 1 !U . o: . ,ca - 4 ' 1 i i
*! i s
ig-s ' ' ' ' [ so m go t 1c 2 to3 ta' to3 1.ATENT CANCER FATAUTIES I t f f f I I l
.0001 . net .01 .1 1.0 110 100.0 PERCENT INCREASE IN CANCER FATAUTIES WITHIN 50 Mt1.15
(_.1 FIGURE 2-2d. RISK OF LATENT CANCS FATALITIES i (OTHER THAM FATAL THYROID CANCERS) I F 2-34 e 't *****t'**' += - - , sq.7 . . , . , . , , , . _ .
. - _ - - . . , - - _ _ . , - - - , - . , - . _ _ - - - . , , , _ - , - - _ - - - _ , _ . _ - - . - . - - _ . _ ~ . - , _ . - - - - _
^
- 1. -
. . _ . - .. ,, 1. .. _..m- . . . . .. . _ . . - .
O, . i
.j # 6 6 i i i i
a 1 i . _
? M
! g an
! 5 m
; : a i
jai s _
= -
1 < 85 . VI
<G
<
- ur* -
3"
==
- 1 =c 323 .
(-
$5
- g. <-
1 1 -
..i
\ .. 'j e ' ' ' i
,,2 # se 8 d tes ,#
ci #
.- usa- nos .l.
i
.! FIGURE 2-Za. RISK OF MAN-REM t
E g
! 2-35
. .. - . . ._ . .. .7_.,., .. . - _ . . - - .. .. .. - .. - --- ..- _
* * ~ s -- -. - ... . . ,
p t
.E v
]
. J.:*
a r 4
.=.4 ;
6 6 g 6 4
- A
.1 ' %
I ]4 .
- k
- 4 Ese
^ 1" j 5 ~2 s .$. l S$
l L./ 3*< 4 - b.3 1 g==
-4, / =
5 a I, M, . s . M =
=>.
'd
~5;
, , t ,
'4 4 s = ,.n l : ,,
, a s , , ,
r ;,4 ., ,
,wre no u sas,
,0 U g g M tg*O ,.
'.) MM r;
..w.
s 4 FIGURE 2-2f. RISK OF PROPERTY DAMAGE AND EVACUATICN COSTS
.I
'l
,,/
2-26 t. h 4 i
- .~. . . . . . . . . . . .
q p g. , p 4 , g
'* f *MNN** _ , p 4 .=9 , _
. ' a n -- .. d.. c.. Las..'.le.G 2 k d a '094.l) k' M Ei k.ie.- -
. .- e - J.A. 24 J CAWMO4GEMU d-.6. - L ." .# . ti.
1 *
. .. . . . . . . . - . . . . . . - . . - . . . - . . . . . . . . - . . . . . ~ - . . . . . . . . .
J g
' ;.i .
~
l .? j *
)'
t k j
.i- . .
] .
- p inntatELTATTWO .
4 l emot ST A)40N i t I cons 44GLT " g{ At LAQ4 UN45 ! ; i i I ,. f s
=
m i y [, ~ .s i . i ' .I j l t - l 1 I' f i ! .j -l I
}
! {
~
'i i ! !!
I i , I
- le' le 38' #~ '"
4 EV686T#AEOu500CY EVENIEFt2VEAR l I
- t l -j l
t FIGURE 2-3a. UNCERTAINTY DISTRIBUTION OF CORE HELT FREQUENCY FOR ONE ANDTWOUNITOPERATIONS(PR08ABILITVDENSITV) ~. l 6 i
?
.*4 -' . a ..r. -
42J.., + . . . & *.# . m.
, e t
-4 .
i . 4 a .I.
'I-s t..
8e
'.l. e '
= =
M - [ i -
+.
,s' un --
- c. .. -
1 _3 au 3
~
l "4 f 5
'e ? C j J i . 6
- j { .. - > . . .. -- --
, . v 4 .
3 k . gg . .
.. f m
=
-4 w
- l~
>=
4m Wh
', e**
w zw == t
* > td no
* - g ese 4 m.i e 7 { C .Jl3 w " 3 ue 1 g 2 >
E a wi G 1- _' 4 3 t =
, z w
Ge meeubemesem-ame.m
--ge gn es g Qg 2 -
a w "" wD W I U) - 3 == , > 3
- D w m ,e
.<. 3 -$ == , .
< =
I ;. i 2 T, 3 m a
) - E ",
~
8 gw
'd . . g . >m ay 8,.
o
>5 x --
' v4 3 l 2 =.> h 4 .4E 3 0
..*i
~
- y 't. ~"
T
't , D$
a -, - . 9
.i we 2
'4 mm 2 -i
! es a. l3 >=
. g -i ==
=
l . .
~, e. .ii 3 N 3 J
'd v .,.
=
* .,,i MC (l ,
= * *2s
; - w
, g. , 5 !.. % N O
==
?- & l l-t-
..4
. , , . =
,. ; i e a e = n 3
- e e e e
., r a
.t
- Mitr5CWd 3AllMAnfC t
6
. 2-38
,- 'i
, . . . . . . . .,,. . .-. ....._y,7.,. . . , . . . . . _ - . . . . , , , _ ..._
l
. ~ , . , _ _ _ ,, _ _ _ . . . . . _ . , _ . _ _ _. . . _ . _ . . _ _ _ _ _ . . _ . _ . , _ . _ . _ _
4 8 s l l t , l
/ ) l ' * "" 10*3 a e a Li. .
_..l N s .4
.". l' ,f - $1NGLE UNIT _,
-}
3 . = = = COUBLE UNIT
. , a, , ...e .
a
; ! =
w n, i a
,a , w
, ;.3 .
; ,,.s - -
- 1. %. 3a
J,,i. a< w E>
J, o, a
.., wo u
y, au a s to =m Us - +
.x .w %
g ow E m. \
> .z \
> to-7 \
. w- .
g s -
~. = \
a . 6 % 8 t i$
;n
,' ,a-a - \ -
t , d= - !i l
'.;.1, '. A .
I pg - I 4; . e e i se l td 8 ga s If') . tc 10 3 102 ;g4 to5 TU EAnt.y FATAuTits [ ,. y l t .j w; . .
'~ i FIGURE 2-ta. COMPARISON OF SINGLE AND DOUBLE UNIT
.. i, RISK OF EARLY FATALIT( (MEAN VALUES) l 's e
.S
* \ '
*/
g.}g i
, ,y , pi gy g gg> e se en.> p *Mh.'u'UD9" '-U"i '
l
-i i ; .+
t I
)
l '. <l . 3 A-l . in i , r.q
-[.f SINGLE UNIT
~if th
.j i
* * == . "" * % % % = = = OOUBLE UNIT j %
-m s;
i t4, u g N 4 1 \
..) d %
l j $8
\
.i s , w c .
\ _
! 10-5 \
- 4 2m
<< \
cw \
- u. >
Os (d
.'- wC
@E \(
, ajto-* -
\-
Ea uw Xb S w es ^
\ .' 3E \
d >$ \ _ Bj M w E to-7 -
'a g \
h b w 1
-i a -
- s. .; u. }
e , W A ~ \3 _
$E h 1
10
\
-l *
}
- 1 ,1
^4 5
}
f,'s ' ' ' ' ' I
'*i 10*I 4 5 ,gg 103
' 0 10 I 10 2 10 10 10
'!
- LATENT CANCER FATALmES
/ FIGURE 2-.1b. COMPARISON OF SINGLE AND 000BLE UNIT RIsg
' 0F LATENT CANCER FATALITY-MEAN VALUES
' i A
i
- 2-40 J
- - - = . . . _ . . . __ ... .
I
" * " ' **- e- *-- . . , , . . .
- --,-,. . ,..---,--,--w--ym---- , - , - - -
j . l 10'3 g [ t 6 i (m .- i
'b
~
10
., 4
;i :
- 3 ,
e
. . m J 4
, a 4 -
1 :
$10 ai '. = ;.1 * .. m ,
w 1 a.
.- ce
-} 2
=
; E 4 -
- w. 10 j E a Au.nsi.sAsscATuooniss
, Ce-w w
u x
---.__._,"'N.%
% .m.
W I t E c
%g\ -
l W \ - ! l > 10~7 - \ E. w
\
3 \
, C \
2 = d E \ i \ '{' f
. \
\
~
*j 10 - \
< \
tj i - \ es 32V g
.l --*
l dj . . 1 'q %.
. ,fo ! '
.! 10.g i f ta3 tot 102 ig 3 to 4
-i NUM8ER CF EAALY FATAUTIES
.i I* ' .i - FIGURE 2 5a. CONTRIBUTION OF RELEASE CATEGORIES
/t C TO RIT.K OF EARLY FATALITIES (MEAN VALUES)
+
{ 2-41 4 l -s .. . . . - . , . ,, .y-._.. . ; . . .s . .. . . . . . . . .. - _ . _.
~
w
'l. ,1 f
1
.2 N.' W 6 6 6 6 e
in . - ed G i .,) I
*.; 4 .
[ E
~
m.
~..
'1 i
- %v5
"""" y"*. % % %
[ l l
' { .\ N AL1, NELSAss CATEGORIES
-l 6
> ,.....E..V........~. .
s 8, c t
, E 3
6 .N. u .* *.* E
\ _Hr . ..,K s
E
'sg = n.% %
. a we i ,
l s .% O II t N. . V i U . 8 * \ .
. e t *
..4 8 \ \*\
.'/ . > s' -
!, . g\ .,
.n l \
- g . .
vN . a g'
** l s,< 8 I \
, ' . .' . s t . *. j ':j, ,g.4 *
\
E,.: , s
\ . ... g I u '<
- l .{.
f, ..) [3 2
,i , , , , t
,g
,)
g as- ist 3 ,2 ig e ,g 8 e g psunsetA 0F t. ATE 3ff CAsetEN PATAUT185 i FIGURE 2-5b. CCNTRIBUTION OF RELEASE CATEGORIES
- a; TO RISK OF LATENT CANCER FATALITIES 1 ,
t
. v '
1
- 2. 12 l
t i d I l .- .. . - s
~
"i s
t t i
- s i
t 6 6
.- 6
?
~
SS
;l , _- 309
[J.i !
- q,b d i -
E Iw Ei
,s l
I 3
&. s e \
i j N
, * \ -
- td -
'4 '
' \
z
* \
s e a \ 1 i 5 I --
.s td .
t 3 I a . l Ev* I g } s s y 1 I E s s gied _ l j .
-} g j *.,. m y 6 l \ -
N - \
, k 3 id =
{. k
.1 *h fj
- Aunussanonsr.~if anoas s
* - $' , . . } .
- g. ,d 0 3
e M IM sg2 15 10 NunseEN OF EAAt.Y P ATALaftES
,e FIGURE 2-6a. CONDITIONAL FREGUENCY OF EXCEEDANCE OF EARLY FATALITIE3 FOR RELEASE CATEGORIES S1,3T,32V, and T5V.
S MATRIX (MEAN VALUES) i U s e 2-43
-t
- e. .. .., ..
e ,wg.... . e. . , . , , . , , . ,,
+NF**** _ eu** p ** _ poems . . , - . ee no e se p. ,.
i _ __ I a (m - u
*n $ f, d
A -
. sf IIl .
f4 m te8 s.( ........... . , _ -
~~...,
- y ,
-1 . *'*ner. N
{j . N'...,,,...,,- N
.1 s . .
q ,,o.. - NN NN. ' ... n
,e 3 -
N - sx N ., , . .
- s s
- 3 3 s. N i.
4 . N &. .
; y \ .
8 1' \ % .
,- gg-I - *
\ \
1 J s Ev \ \g
; \ \ s
,m * -
\ .
't I . \ \
< ' \ .
s g i . S # - Ev\ *
\ \~ \ _ 'I .
j .
\
t i
\ i 5
f; e g- 1 %. 3 s \ g o , w y
\ s J \t
,;J L 3< - ,- \1 - is - i \ t
':q ; O \ g
. l.1 m 1 l . 1
- l. se e -
4 suouse rons .q
/.s t As.sousseroma5v aum usen son nLNo ss
.' i-t'! e t t e e i ,: se8 tot ser ,,a ,,4 ,,s o. NUMOGR OF iATENT CANCER PATAIJT188 i [.w 1 FIGURE 2-6b. CONDITIONAL FREQUENCY OF EXCEEDANCE OF LATENT i i CANCER FATALITIES FOR DIFFERENT RELEASE CATEGORIES (MEAN VALUE3) 4 .
~ , . . . .. .. . _
t
,m, -
s 3.0 INTERNAL EVENTS ANAt.YSIS
),
i
- The evaluation of internal events in the SSPSA uses support state id methodology. In this approach, a number of support states are defined for G.j , .
j l. various conditions of initiating event occurrence and system or train ,Ni availability.
~~ ,ij I . - The use of support state methodology in the SSPSA, in combination with very large and complex event trees, produced an analysis that is judged to be generally inscrutable and relatively useless to the reviewers for the determination of engineering insights. Althougn it was considered necessary to reconstruct the event trees to evaluate them, it was not possible to do
( this, because of the limited time available to perform the review, the extreme b complexity of the trees and the absence of critical pieces of-information in 4
-l the.SSPSA. The details are provided in the sections of this chapter.
$ ! In very general terms, the internal event initiating event analysis is
': I reasonable, comprehensive, and consistent with the state of the art. We b:
concurred with the selection of initiating events except for the division of n
,j: most of the general transients into several sub-classes, which we believe is ..t "g ;
unnecessary and inappropriate. .!n addition, three initiators did not receive l adequate discussion in the SSPSA, and it appears that at least two of these 7'/h 5 should have been considered as separate initiating event classes. The M 3 initiating event frequency evaluation was also generally reasonable, and the
. '}
l , event frequencies are generally consistent with other data sources, however, 2 (~ several minor deficiencies were identified in the review. 3-1 i
] _ , , , _. .
. . . . ~. .
84 Our review of the entire internal event analysis in the SSPSA is described in
, following sections of this chapter, wnich respectively address the topics
,4 .
il , listed below (in the noted sections): Initiating even'ts (3.1); event trees a
'j
.j
~
(3.2); success criteria (3.3); systems analysis (3.4); human factors (3.5); 4 failure data (3.6); operating experience (3.7); analysis codes (3.8); severe
~ /g i, , .1 , accident sequence progression (3.9); dependencies (3.10); and the approach to quantification (3.11). . 3, , .f t
i - s ' 'l . 1 O
~
1 -
- t ,
a
- -1.
- t.; :
$;1 i i d d !
.]
- q
. 3, N
' i, i I .- h 1 '> (, 3-la
.--n - _ . - - - - - - .-a , ----- - - - - . - - , - - - - -- -- -- - --- - - - - - - --------------------m-- --- - . - . - - - - - . -- - - ,- , - ---- -- n--
J i t
. -i t7 ,
3.1 INITIATING EVENTS-
- i
.I ,
The SSPSA evaluated more than one hundred individual internal initiating 4
).. I events in the process of defining a set of twenty-four internal initiator i l, classes for the study. This section presents the results of our review of the
.-j j completeness of the list of initiating events considered and of the frequency $. . estimates assigned to each event. ll .
- i .
3 3.1.1 Comoleteness of Initiating Events Considered
.I ~.!
g The SSPSA considered two general classes of initiating events, LOCAs and
- p. transients, in keeping with the traditional classifications. establisned in s .
previous PRAs. Three methods were used to identify the individual initiators { wnich make up these classifications. The first method is the Master Logic Diagram, .which attempts to trace the thought process which follows from tne .fd question "How can a significant release to the environment occur?" This hi diagram traces down to the types of initiating events which can result in a E failure to provide sufficient core cooling. The second metnoa is tne Heat Balance Fault Tree, which has as its top event " initiating event occurs." The i h ; tree structure and analysis is based on the concept that an initiating event
- i *
'$ must involve an upset or incalance in the thermal equilibrium of the plant.
a E The tree attempts to logically model all the ways in wnich this can occur.
'i
. The tnird method is the Failure Modes and Effects Analysis. This is used
'j specifically to look at support systems initiators in greater detail than is 1 /~~ possible with the other two methods. It is a " brute force" type of tecnnique,
's v
} 3-2 l . . . . _ . . . . . . . .. ..
- . _ a ..
m wnere various support system failures are postulated and their effects
,'.s .
tabulated to determine if eney constitute unique plant conditions wnien do not
- fit into the initiator lists developed from tne first two metnoos. The final list of initiators is then compared to initiator lists from other documents, h
fd such as EPRI NP-2230 [Ref 3.1 1], WASH-1400 [Ref 3.1-23, and NUREG/CR-2300
'I [Ref. 3.1-33, as a furtner check for completeness.
3 ' . at . ei 1 E.- In general, we found that the analysis performed as discussed above was . A comprehensive, and comendable in its attention to detail. The use of several e metnods provided assurance tnat all initiators were identified, since R initiators missed by one method mignt. be identified by another. Additionally, tne fact that the different checks snowed a substantial amount of overlap in
. ),
J the initiators identified gave us a good feeling that all tne techniques were
.5 capable of identifying most of the initiators, in at least at some level of detail. This means to us that they each have a nign level of validity. On tne other hand, we have nevertneless concluded that some initiators may not l
i have been considered in sufficient detail, which will be discussed later. L Overall, the process identified over 100 individual initiators. y . a Following the selection of the initiators, tney were grouped into twenty-four a Q initiating event classes. The purpose of this step is to reduce the numoer of i] - initiating events wnich must be analyzed separately by comof ning into a single 4
$ class all tne initiating events wnich have nominally identical effects on the k; plant. That is, any group of initiators wnich require the same response from '. 9 plant mitigating systems and which have the same effects on the ability of Q tnose mitigating systems to respond to tne event snould be placed in the same f.;
( event class. The twenty-four plant classes used in tne SSPSA are snown in i e
' 3-3 l
Table 3.1-1. In general, we concur with the selection of these plant clasres, l. with one notable exception. The division of most of the general transients i into classes 7 througn 16 is not necessary, since they do not actually represent differences in plant response or affect on mitigating systems. While we would agree that they do represent differences in the initial .y pnenomenology of transients, i.e., the root cause of the, plant trip is different, they do not in general differ in any other way. Witnin the first j few seconds following the plant trip, tney are all nominally identical in
)
- plant response and the need for certain mitigating systems. Some of enes do have a slightly different effect on the availability of a mitigating system wnica can supply secondary cooling. One way to provide secondary cooling is tnrougn tne power conversion system (main steam, turbine bypass, concenser,
'd condensate, and main feedwater (using startup feed pump) subsystems).
Transients wnich result in main feedwater isolation or MSIV closure, or any
)
condition which would lead to these events, renders this path unusable. Thus, these ten initiating event classes need only to be separated into two, loss of }j PCS ( power conversion system) an'd non-loss of PCS. Although the SSPSA separation of these transients into more classes than actually required, is h'; . H not incorrect, in a strict sense, it does serve to dilute the results and mask % insights. For example a particular accident sequence conson to a number of t\ these classes could fail to appear in a list of dominant sequences because the classes are no indvidually significant. However, they may be significant wnen 3 ,
' ~
h added togetner. The salient information required to make a reasonaole judgement regarding the importance of that sequence is that it is initiated by 4 4 transient class of a given plant response, and it is not important
.I 3 specifically now the transient developed in its first few seconds. Our
]1 h regrouping of taese transients into the two required classes is snown in 3-4
.....-3 . ._ ., ;
1
.S,
- t r ."
- TABLE 3.1-1 -4
.3 . d . INITIATING EVENT CLASSES IN THE SSPSA
.1. *.t J
y i Initiator Category
'l . 1. Excessive LOCA 4
4 2. Large LOCA l,
-l .
- 3. Medium LOCA C 4a. Small LOCA (nonisol'ble) a j a e
'a-4b. Small LOCA (isolante)
- 1
- h +
'i
- h. 5. Interfacing System LOCA
- l i
-3 4
.~.,.) i
.o '
! 6. Steam Generator Tube Rupture l l i
. j d"j , 7. Reactor Trip il 5
fl
!! 8. Turbine Trip 'l ,
i
- 9. Total Loss of Main Feedwater (a
2
'. 3-5
't
- - . . , ... . .. . _ _ . _. _. = . . . - - . __ -. ... .. .... - ._._ . .. ..
I i - s ! . d . 1 .
~
( s)
- 10. Partial Loss of Main Feedwater Flow 1
- t
?
i 11. Excessive Fe*dwater Flow
- s
.?
d
- 1) w 12. Loss of Condenser Vacuum b.
- 13. Closure of One MSIV 2:
1 14 Inadvertent Closure of All MSIVs
,. i 6
w j 15. Core Power Excursion 4
- 16. Loss of Primary Flow -
. (- ,:
- 17. Steam Line Break Inside' Containment c i
!! i 18. Steam Line Break Outside Containment u R
.+ .
- f' I r .
y.e l
- 19. Inadvertent Opening of Main Steam
+
! Reitef Valves s '
.1
[b 4 l 20. Inadvertent Safety Injection Signal kl id. i
- 21. Loss of Offsite Power
- ,j
.?
?
1 22. Loss of an Essential DC Bus fs '_'/ 36 i s
~
. . . , . ., - . . . _ , , . __ s- . . . . , . . . . . - - . - . . .- ..., .. ..- ,
r... . .. . . .. . . . . i
, t
. }
.'t -
- to L r.
*% e
!s ,
- 23. Loss of Service Water i.
'i t ,; - , ;; r
- 24. Loss of Primary Component Cooling ;
l}* I, 1 9 e o-A i
'aj h oo
- ~'
Ps r. A
- s
-1 i .
- 9. 4
*1 i
e D 1 lri !. < m I I 6 I1 L - ~. is i 3 e h. b
- i
'l a.1 ,
t I A
*l M
- l. I
..a r dj I . . f. ; . t *; . 4 .+4 i
., [
. 9 l
- i l*4l 4
L
'.tr
( (** r; V i I
- i . k. -
l} t . 2-7 , I '1 e eme a emeeesee= **- **
- e- .
I . . ..... ,, .x , . .. . ...._, . .... . . . .
- . . . . . . ~ .r.... .. . . . . , , , ..... r .... .
T
a . .. .. . . .. 9 Tables 3.1-2a and 3.1-2b, using the PWR transient list from EPRI NP-2230 to q
'{
illustrate now various transients would fall into the two event classes. It ,.. snould be noted that some transients appear on botn lists. These transients,
] ,
wnile not automatically failing PCS, would result in significant asyninetric
,1 y perturoations of plant systems which are more likely to result in failure of PCS than other transients. When determining the overall frequency of the ij event classes, we would assign 50% of the frequencies of tnese initiating I .
y events into eacn initiating event class. si d , d The remainder of Section 3.1.1 discusses individual transient events wnica we a i 4j l 7 consider not adequately discussed in the PSA. 3.1.1.1 incore Instrument Tube Rupture
.i O -
This event is representative of a class of LOCAs wnich discnarge coolant into
. the reactor cavity rather than to the containment floor, thus resulting in u ! initially no water buildup in the containment sump, which is required for Is recirculation. There was no indication in the SSPSA that enis initiator was
[ { considered in detail during the initiating event analysis. This event was t . O notaole in tne Millstone Unit 3 Probaottistic Safety Study CRef. 3.1-4], but g ]. p ! for one particular reason: at Millstone, recirculation is automatically
- 6. t I actuated five minutes after containment spray actuation. This led to the a
c problem enat for this initiator, if tne spray injection failed to function A there would be no water in the sump when recirculation was actuated and tne
.]1 , ;' recirculation system would fail. The inportant point in this is that 'l rectreulation could be actuated at Millstone prior to full RWST injection, .i , . .
V 3-8 9 I
..-....g. . - . ,
.- . ..m, .
. , , = . - . . .
----.-.....7
P TABLE 3.1-2a
- i PCS AVAILABLE TRANSIENTS FOR SEA 8 ROOK SASED ON EPRI NP-2230 N
EMI . 'r} NP-2230 FREQUENCY 5$ Event No. TRANSIENT NAME (PER YEAR) kl .
- 1. Loss of RCS Flow .39
')
- 2. Uncontro'11ed Rod Withdrawal .02
] CROM Problems and/or Rod Drop
- 3. .55 l, '1
- j 4. Leakage From Control Rods .02
*; . 5. Leakage in Primary System .08
.; 6. Low Pressurizer Pressure '-
.03
- 7. Pressurizer Leakage .01
. 8. Hign Pressurizer Pressure .03
- 11. C'ICS Malfunction - Boron 011ution -
.04 V 12. Pressure / Temperature / Power Imbalance .16
- 13. Startup of Inactive Coolant Pump .00
- 14. Total Loss of RCS Flow .03
. 15. Loss or Reduction in Feedwater Flow (1 loop) (50%) .94 p 17. Full or Partial Closure of MSIV (1 loop) (50%) .12 T 19. Increase in Feedwater Flow (1 loop) (50%) .35 E', ', 23. Loss of Condensate Pump (1 loop) (50%) .04 4-L us
- 26. Steam Generator Leakage .04
- 27. Condenser Leakage .05 Q i
!, j 28. Miscellaneous Leakage in Secondary Systems .08 ,].] ! 33. Turoine Trip, Throttle Valve Closure, EHC Proclems 1.38 !c 34 Generator Trip or Generator Caused Faults .38 'i . 36 Pressurizer Spray Failure .04
! 37 Loss of Power to Necessary Plant Systems (50%) .05
}d t 38 Spurious trips - Cause Unknown .14 i 39 Automatic Trip - No Transient Condition 1.55 l , 40 Manual Trip - No Transient Condition .62 b % 3 Total - PCS Availaole Transients 7.24 J 3-9
. .. . --.-.. - ,.-,_.. - .7 . .._ . .. --
- .> .? ..:. . .. .
a.i l TABLE 3.1-25
. ; O-d - :
LOSS OF PCS TRANSIENTS FOR SEABROOK BASED ON EPRI NP-2230
'E .d
- t! ,
~
EPRI 1 d NP-2230 FREQUENCY [j'... l Event No. TRANSIENT NAME (PER YEAR) ?! !
~.! 10. ' Containment Pressure Problems .01 I
- 15. Loss or Reduction in Feedwater Flow (1 loop) (50%) .94
$ 16. Total Loss of Feedwater Flow (all loops) .15 '. l 17. .
Full or Partial Closure of MSIV (1 loop) (50%) .12 4
,$ 18. Closure of all MSIV .03
- 19. . Increase in Feedwater Flow (1 loop) (50%) .35 I
- 20. Increase in Feedwater Flow (all loops) .01
- 21. Feedwater Flow Instaoility - Operator Error .15 Feedwater Flow Instability - Misc. Mechanical Causes
- 22. .21
. O 22. toss of Condensate Pum, (t iooP) (50%) .04
- 24. Loss of Condensate Pumps (all loops) .00
~
- 25. Loss of Condenser Vacuum .20
,j i
- 30. Loss of Circulating Water ,
.06 ..] 31. Loss of Cogonent Cooling .00 V .
- 37. Loss of Power to Necessary Plant Systems (50%) .05 3
- q s
! l j Total - Loss of PCS Transients 2.32 c) 3 .
- 4 q
.R 1
y i r', "
)
y/ l 5 3-10 e__- umme****. . e . eso _
. . . . . . . . - . ,.....nc ..-.e. .. ., - - . .
....7....
. . - - . _ _ _ - ~ - , - . _ - _ - _ - . - - - - - -- --- ,, ,
I 1
~
k j ,3 since RWST level nad notning to do with recirculation actuation. At Seabrook, st recirculation is actuated only when the RWST is virtually empty, so that the occurrence of tnis event is precluded. Even witn the flow going to the reactor cavity instead of the containment floor, we believe the injection of 9 h i the full RWST would cause the reactor cavity to overflow its cure, with the overflow going to the containment sump. Thus, there would be sufficient sump
- II level to allow recirculation when required. The failure of the SSPSA to 3
o f.y t consider this initiator as a separate event class is, fortunately, not a A A deficiency since it is. virtually identical to other small LOCA initiators for 8 i jj enis plant. However, it should be noted that this result is apparently a 5 , matter of luck rather enan an informed rejection of this initiator by analysis witnin the SSPSA. t 3.1.1.2 Loss of a Vital 120V AC Bus . i l The SSPSA considered this initiator in the initiating event analysis, but I later rejected it an teing an initiator. The material presented in ene SSPSA N > s 1 is contradictory and incomplete. It states, correctly, that loss of one of tne four busses will not directly result in a plant trip from the solid state ?) , protection system (SSPSA) because the loss will affect only one of the four 7e : ]j sensor input channels. However, there appears to be no investigation into whether the loss of a but will result in a plant trip due to the affect on f
'f other equipment tied to tnat bus. Further, no mention is made in tne
,1 initiating event analysis of an additional affect on the mitigating systems if li 1 - one of two particular vital AC busses fails. The 1 and 4 busses (apparently referring to busses A and 0) supply power, respectively, to the train A and S f ([ engineered safeguard feature actuation system (ESFAS) output relays. Loss of 3'.11
~ ' ^ - "
t
- power to these relays disables tne associated train of emergency equipment due to tne inability to provide actuation signals. This information is presented
, only in ene ESFAS systems analysis appendix. If the, loss of bus A or 0 -
J results in a plant trip with loss of one train of ESFAS, which we believe to q
" be the case based on previous plant analyses, tnis event should nave been
. considered as a separate initiating event class.
~
[.!
. b.
h 3.1.1.3 Loss of a Single Service Water or Component Cooling Water Train kj
- Altnough the SSPSA considers a total loss of each of enese systems as an u
initiating event, it does not consider loss of a single train. The basis used in ene SSPSA for tnis assumotion is tnat if a single train is lost, the plant 1 will not imediately trip. The conclusion is that the operator can proceed with an orderly shutdown, and tnus 1 is not an initiating event. We disagree s with this position. Althougn it may be possible, and even nighly probable,
. tnat an orderly shutdown will take place, it is definitely a forced snutdown enat must take place in the absense of one train of a support system. We s; .d believe that this is essentially equivalent to other support system transients a . '.~
and that two new initiator classes snould be added to account for these single N f,) . train failure events. .4 5.) ; d'o >-
. 3.1.2 initiating Event Frecuencies m
Z The SSPSA estimated initiating event frequencie:, by dividing the event classes 'd
,; into two general groups. The first consisted of those initiating events wnien
- were felt to be adequately represented by generic data, and constituted the
;: vast majority of tne event classes. The generic data utill:ed consisted
']
3-12 i
1, - I i 1
- I mostly of EPRI NP-2230 (Ref 3.1-13, augmented by a Pickard, Lowe, and Garrick
,' proprietary data base. The second group consisted of three event classes
! (interfacing system LOCA, total loss of service water, jnd total loss of
,f e primary component cooling) for which unique systems des,tgns required that a I !
.i ; plant specific analysis be performed. The treatment of the initiating event 1
l classes in this manner is, in our judgement, reasonable. . Table 3.1-3 presents
'1' l, a comparison of the'SSPSA frequencies (means and medians) witn data from other d
sources and studies. The table, snows that the SSPSA data is in general l.y 1 ! agreement with these otner sources. Our review judgement regarding tne
/ i 3 i reasonableness of eaca frequency estimate is indicated in the last column of l
the table. Where the values used in the SSPSA did not differ significantly
]} l*
I from :na other sources, we nave accepted tne SSPSA value and tnis is indicated by an "OK". Where the values used in the PSA did differ significantly and we
, ] '
I t felt anotner value should nave been used, the revitsed value is indicated. We nave also indicated values for the three initiating event classes discussed in - e the previous section wnich we. felt were omitted from the SSPSA. The remainder 1 fli of this section discusses the basis for our revised and added valuet, as well k - as a discussion of our verification of the interfacing systems LOCA frequency.
!2
j , t 3.1.2.1 Small 1.0CA
-{
b d j The SSPSA utilizes two values for small LOCA, representing breaks tnat can be
.I i 1 : 1so14ted and those that cannot. It was'not made clear in tne SSPSA wnat tj'l , ', breaks fell into these two categories. It is generally recognized that isolable breaks do not significantly contribute to overall small LOCA i frequency due to the amount of time available for the operator to isolate them i
'. ( prior to the need for emergency core cooling. This was adequataly 3-13
.ae a en o e e o e +e ee m *
.- , . . e . . w e=== =- w,e* * = .. .e e 4 .
- am * * * , e *
. 4 . .#~, , . e.- ,.w gs m m 7
I i t I i t (m i -:
,a ~
s::a ~~t g;g utan staa**** s stun nun
- 4 1
- s. .
. z -
4 ; ::x -- . [ l h.- kki 55 *t h~ t e t, 2
- -- - e.
14 4 2 30 0 ~i :: 3 . _ - . . _ - - . . - - y .; ..- :::,........~y y ,w ,?
,l ta === a aa == : aa a 11 ,
]. - , ;*
t .
' h - TT7 77 TTY 7-~
/ i a
a::_! 74E.s.~
<- = x~FiEE ~~~ E.MI -
E44
~~
== 5)8 I .
r- = z-
- : 4~ 1 --: ~~ ~t
- aa e : t~ :- -
II g!.
~ **..- .--~.- ~ s! *E .
i
; 5
== .:a
== xxw w wzaa a.: !
t . s- ,r T
, - .~_~=. x a
sg
.?
g
- s. = :=::: == w .
g:- l
'1 TTTa"T"TTTTTTT*??Ta? ?????
- 5. g
. a
.E.5
.: - I.I.*,W.N.E.g
- . . ~ -.:..~. - - -r e~ r-r .y.g.-~~~- g w yv.vw,---,w..= = x r g , , ,..
'$ TTT""T7TTTTTii"TT'i? 7-??? .3 5 g*WW
- g .8 8
~ ?q. 8
- a . ~~..~-------. m ...
.e - J. g g . *: . . g2 : *n g.,* *
- x g *4 g g g *:g
-~~ - ,n.
~-
J: 1 3 -1 - z p :: l1 : s I r a l * = a
- 2,j-a s;-
!~
- 13: 8 .s. 4 38 3 9] -
91 t I~ 2 a_. I, a a. ro i :.:: _! -3
- - I l,:2 .a ..4 s:- c.-x 3_3_ .g 4 . 3 3 - m ) g r2 r:=3: -
- . ,gaIg g ::
.. t:,-: s tr a 1
g:.: :. s.. 23 s : 11
-v t ' 3 -
.: w
.: 3 : 1y 4:3.g-
, :,J.r 8
- :- - 1.g1ma y 2 ,8 2458 -}y--::b.3:s~ Ull:': J J - - -
t
! 98-v 9;tj:s::. v a
.v.g,:3
- :: ;-3::s 3 4 t 3::- s:a..:.
y-isnists 1.:1.... 131 .. 3;1331::3
- s. 4 a -.s.2: . - o . a - 4 .3....:..:..:..:..:. -- :.n--
~
JJab$2Jadd55$$bbE$$$ kEbbEbb$
~~
5
.1' ..
( ' 3-14, 3-15, 3-16 i, i
. ~ . . .... . ... . . . .
.m - ~ . .
f' I 4 t' ; E demonstrated in a review performed on tne M111 stone-3 PSS [Ref 3.1-43. Thus,
;, {% .
1 . j- our principal concern is with the nonisolable break frequency. The comparison of values snown on ene table indicates a large difference in this frequency r ob between the various data sources. Tnis is based on wnether a reactor coolant
.j pump seal LOCA is isolable or nonisolable at a given plant. The frequency of f i i the random reactor coolant pump (RCP) LOCA is estimated at .02/ year based on i
'i: data from the AND-1 ! REP [Ref. 3.15]. The Seatrook plant does not nave
' t .
3 primary loop isolation valves, tnus this break should be considered d lj nonisolable. This value would therefore apply to Seatrook for nonisolable small LOCAs,.and is a factor of four nigner than tne SSPSA value utilized.
, l This is a significant difference, and we feel the nigner value snould nave been used in the analysis.
l
, p 3.1.2.2 General Transients .
.' . v i
The revised values for the general transients (classes 7-16) result from tne i d transient regrouping discussed in 3ection 3.1.1. The values snown in ene last b , column are for non-loss of PC3 and loss of PC3 transients as defined in that a fj section. The development of tne values is snown in tne frequency column of
- 1 -
'] l Tables 3.1-2a and 3.1-2b and are based on EPt! NP-2230. Note that enere is
/p ; virtually no difference between the sum of these values and tne sum of the
.1 4
$1PSA values for event classes 7-16, so tnat the effect is due to the
.]a t 4 ,
regrouping only. . 1
~
l 3.1.2.3 Loss of 120V Vital AC Sus A or 0
' r"~ The value used for snis new initiator is taken from the ANO-1 ! REP s 'J .
t CRef.3.1-5] database. .
~
3-17 l
- l. . _ .. .. _. _ . _ . . _ _ . ,. _ . ....._
m - _ _ - ._ . , i
' ' 3.1.2.4 t.oss of a Single Service Water or Primary Component Cooling Train \,
q The values for tnese new initiators are taken from EPRI NP-2230
, [Ref.3.1-1]. In finding these values, the assumption was made that the event - lI frequencies for these initiators could be reasonably expected to be equal.
o g .- )l
! 3.1.2.5 Interfacino Systems t.0CA (Event V)
- s t <
I I In attegting to verify the plant specific value determined for this
! initiator, we determined tnat it was not possible for us to duplicata the i
e I answer snown in tne SSPSA using the valuas and equations presented tnerein.
, We therefore performed a siglified but independent analysis to determine tne i
frequency of tais initiator. The arrangement of piping sensitive to event V
- is shown on Figures 3.1-la and 3.1-lb. We based our analysis on the metnod I
; used in the Crystal River-3 Safety Study (Ref. 3.1-6]. The failure rate for f catastroonic internal leakage of a motor operated or check valve was taken to f be 1E-7/nour from MUREG/CR-2315 (Ref. 3.1-7). We assumed tnat for tne cold j l 1eg injection lines, rupture of any two check valves in series would result in 1 ?
j 'j an event V wnica could be isolated by the operator by closing tne appropriate ]II . motor operated valve witnin 20 minutes. A numan error probability of 0.1 was
*i . assigned to tnis task based on the cognitive error screening :nodel from ,] i
,) , MUREG/C3-2815 (Ref. 3.1-7]. We further assumed that tne inboard valve in any patn must fail first before the outboard valve is exposed to nign pressure. -l
; The frequency of event V can tnus be estimated as follows:
s - t 3-13
~!
) . ..
r ..... .. .. I i 1
,; p, - .e ~.
t 5 4 4 j i q l
'i -
i i I
.) .
l HIGH LOW lI PRESSURE PRESSURE l g
-}
R I
- 'A
. X RH.vst Z.
RH V31
'~} St.V2a m LPI system C '
TRAIN A
. T l
' l RH.V14 I R A x 'A l SI.V5 RH.8g RH.V15 l- .
4 . y i Z X M E l . s Ss.Voo RM.Ves NH.V3D
~
_ mmy
.q '
g l TRAIN 8 RM.V28 f ' L N N l '. St.V38 R M.V G RM 29 M '
,]
INSIDE I l .51 CONTAINMENT l l .. ~ I
.a ,
f ,e n
;; FIGURE 3.1-la. COLD LEG IKlECTION ARRANGEMENT t
i
../
I 3-19 i g .y uu. . m .g e.a 4..e W. N M g
%. 1 N'
,3 U .:3 1
e
)
Y d .
.J
]
.l .
R HOT t.IG
, g : TO RHR NMP
'1 A RM V87 MH VM
, C
..~ y
-; O
. Y l E 3 HOT t.fG ; TO RHR NMP E y m L Q RH V22 RM V23 o
d. 4 1 1 4
'i i
FIGURE 3.1-lb. RHR SUCTION ARRANGEMENT
':]
y
.a J..
-t
'o .
I { a ,./ I i 3 3-20
.] , . . . . .. . - .
4
, N >
- Injection Path:
- j j Single Check Valve Path
h (IE-7/hr
- 8760hr/yr) * (1/2yr
- IE-7/hr
- 8760hr/yr) = 4E-7/yr
- { . ,
3 Adjusted for Two Patns per Train with Operator Recovery: d *
- j . (2
- 4E-7/yr)
- 0.1 = SE-8/yr
- 2 trains = 2E-7/yr 1
.1 TOTAL EVENT V FREQUENCY (INJECTION) = ZE-7/yr l
'I 1 Suction Patn:
.Y L. l
'- Two Suction Valve Paths:
] gj ,_-
,j ((1E-7/hr
- 8760hr/yr) * (1/2yr
- IE-7/hr
- 8760hr/yr))
- 2 = 8E-7/yr I
TOTAL EVENT V FREQUENCY (SUCTION) = 8E-7/yr s @ Thus, our estimate of the frequency of event V from the above calculation is: vj , ?.] l
- . f l TOTAL EVENT V FREQUENCY = 1E-6/yr
,1
~.
- . j This value is close enougn to the SSPSA mean valve to serve as an independent
.I ! verification of tne SSPSA calculations. Thus, we conclude that the event V
- i '
frequency used in tne SSPSA is reasonable.
- i i
.) j 3-21
. _ _ - . . . _ _ _ . . . . . . . ~ , . , . . . . ... . _ _ . . . - _ .
n 3.1.3 Issues of Importance to the NRC k ~) i
' In their instructions for tnis review, the NRC listed certain issues of .* concern to them. They wanted to know how these issues were treated in tne 3 SSPSA. Some of tnose' issues were either treated or should have been been ^!
I treated in the initiating avent analysis. This section discusses those
' i, issues. .4 i .i 3.1.3.1 Issues Directly Included as Initiating Events .i 4
M A numoer of tne issues of concern were directly included in the analysis witnin the more than 100 internal initiating events evaluated. Those i ..
- issues / events are:
!{
}
. (-
.f . -
LossofCCMi##
.) .. _
Steam Generatof(u$ Rupture j ; .
- Loss 'of Service Water
+1
- Turbine Trip
- 1
- Loss of Main Feedwater
.}
l !.0 - Loss of Component Cooling Water 3 4 d - Reactor Coolant Pug Seal LOCA
,9 tq
] - Soron Dilution
+
- Excess Feedwater Flow L .
'{
- Loss of Instrument or Control Air e -,
3-22 , 1
+ . . . . . . . , . * . . , , ~ + . ..
-.,-,._, g. , m . . - . -.w ,
,.,fe%...-. .
i
a .'7 3.1.3.2 Issues Excluded as Initiating Events r Two issues of concern were not included as initiating events in the SSPSA, and j il we consider their exclusion to be justified. The first is multiple instrument A i ! tune LOCA below core level. This event is sirmly a larger version of tne i S initiator discussed in Section 3.1.1.1, and is reasonably excluded based on l j. j the same arguments. The second is loss of ventilation in the auxiliary
.s 2 -
I building. In general, previous PRAs have not considered these events as
.A initiators. This approach is considered to be reasonaole since ventilation
,t g
-) losses to specific plant areas are not likely to result in botn plant trip and -
) degradation of mitigating systems in ways not forseen by other initiators of greater frequency. It is our judgement that tne omission of tais event as an initiator.does not affect the study results.
L %.: J
'l Issues Improcerly Excluded as Initiating Events g 3.1.3.3 'j .
q 0 Only one issue, loss of instrument and control power, was not properly y considered in the PSA. This is discussed in Section 3.1.1.2.
- 4
~k "s l
'. t. !
1 - ' ,$.' d, l p
,a'
.)
. ..}
4
. .l 'j .-
I' 3-23 s i
* *=em een* * =.. e, . - - .
.-. .w..- .. . . . , . _ .
( 'T References for Section 3.1 ,. . L I4 i . n 3.1-1 EPRI NP-2230, ATWS: A Reappraisal, Part 3: Frequency of 1 ^ Anticipated Transients, January 1982. k b ,f 3.1-2 WASH-1400, Reactor Safety Study, October 1975. 3.1-3 NUREG/CR-2300, PRA Procedures Guide, January 1983. .j 3.1-4 Northeast Utilities, Millstone Unit 3 Probabilistic 1 Safety Study, August 1983. 3.1-5 NUREG/CR-2787, Kolb, G.J., et al, Interim Reliability Evaluation i1 Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, June 1982.
. 3.1-6 NUREG/CR-2515, Garcia, A.A., et al, Crystal River - 3 Safety Study, ,3 a
4 December 1981. i 3.1-7 NUREG/CR-2815, Papazoglou, I.A., et al, Probabilistic Safety
.t
- q
- Analysis Procedures Guide, January 1984 i
+ .
-1
'l 3-24
.., - , - . _ . . . . _ . . . ...._.. . _ _ _ , ., _ . _ . .. ..s_,_ .....
e .
.o .
i e m 3.2 EVENT TREES t _. - d The SSPSA constructed 10 event trees to represent plant response to the initiators discussed in Section 3.1. We have reviewed these trees to f determine if eney are a reasonable representation of tnat response. The c assumptions used in the tres construction were compared to assumptions used in I previously performed pRAs. Where there were notable differences, these differences were evaluated to determine if they were reasonable. The f evaluations consisted of reviewing calculations provided in the SSpSA,
! reviewing applicable reference materials, and performing limited calculations Eacn of tnese differences and our final conclusions regarding their validity are discussed in tnis section. In addition, a numcer of issues of specific l interest to the NRC were also, examined.
1 '
) (3
% of 3.2.1 GENERAL. EVENT TREE FINDINGS _
This section' presents the results of our eval'uation for items which pertain to I*4 a numoer of event trees,
}i
j
.i We found tnat the event trees correctly represented the phenomenology of tne
- sequences in most cases. That is, only a few errors were identified wnich resulted from the conversion of the description of the pnenomenology to its
. representation in an event tree format. This does not mean tnat we consider i the trees to be a correct representation of plant response: in fact we have -
serious concerns about some assumptions and conclusions used in describing the pnenomenology of plant response. These are discussed in detail in the next section. We note, however, that we believe the event tree design concept contains deficiencies. 3-25
,,y . , . . . . . . .
. _ % .. . ..-.c.- . -- - - - . - . . - . . . -
^ ^
. . . . - + . . ,. -.. .. . . . . . . . .. .
* - ~
i ' 6
'- G i
l The trees are very detailed in certain areas, and not as detailed in others. mi This is due to a requirement, for quantificatif on purposes, to nave each event + on the tree be independent of the others. There is also an effect from the utili:ation of long and short term trees and transfers from the latter to the
" ; former. The result is that in some cases it was necessary to put individual ' -l' t
components on the trees, rather than in the systems, wnen that component was
. .l .2
- snared between two systems. Also, the need to transfer required that transfer i
states exist which considered the precise number of system trains operating, ratner than just wnetner a system had met its required success criteria. , Thus, individual trains were also represented as separate events on the e trees. This complexity rendered the trees extremely difficult to follow and
}
analyze, i.e., tney were quite inscrutacle. The numoer of sequences on each j; 9 tree was on the order of 100 times greater than tnose from previous SSPSAs.
. The proliferation of sequences made the trees significantly less useful as an i -
' engineering tool (sigle insights were igossible). Furthermore, tne large l
.l number of sequences, scme representing failures of entire systems and others
-) representing failures of individual components, created a situation where
. :..j p] i " sequences" in some cases were nothing more than the equivalent of a single l cut set. In other cases, sequences represented system failures for wnien the 3 analysis could not provide cut sets. The resulting mixture of contributions
~
made it difficult to determine the dominant sequences (in tne traditional . . t l; . sense) because they were so fragmented. Identical system failure combinations and event pnenomenologies, which normally appear as a single sequence, were actually often represented by many incividual SSPSA sequences. This resulted in further masking of engineering insignts our conclusion is tnat the event
![' , tree models used in tne SSPSA, wnile not being incorrect in the strict sense i
. 3-25
, _ _ , ~ , , .
-,,..-w--c--.-,.---- --- g .- - r - - . - - - - - - . - . -
of tne word, do not represent an advance in the state-of-the-art over event - q trees constructed in a more traditional manner, particularly in term of their usefulness to the NRC in performing its review function. They are, because of their unnecessary complexity, virtually useless to the reviewers in the determination of insights concerning the effects of our conclusions regarding 4 the differences in event phenomenology which are discussed below in Section i* 3.2.2. We consider it necessary to re-construct the trees in a more . i reasonable format, incorporating our specific findings, in order to evaluate j
- them. It was not possible to do this because of the limited time available to perform the review, the extreme comolexity of the trees, and the absence of critical pieces of information in tne SSPSA.
i
; 3.2.2 Specific Event Tree Findinos t
1 n i v This section presents review results applicable to specific event trees. 1
!l j ,
3.2.2.1 Generalized Transient Event Tree (Short Term)
- i 4
2.1 ' A nuncer of areas in the transient tree are unusual, and in some cases
.] -
contradictory. First, tne text of the tree description states that it is ,s ,'I , [, possible to avoid the need for recirculation in bleed-and feed scenarios by initiating closed loop RHR cooling. It would appear the assumption is that it
- is possible to reduce the primary pressure below the RHR initiation setpoint i
Vj by using high pressure injection alone, and that it is possible to do this
. prior to depleting the RWST. The text does not state what kind of operator actions if any, would be required other than initiating bleed-and-feed and,
/~
later, RHR. No documentation is provided to support this contention. The 3-27
.. . . .y .. . ... ,,. . , , , . . _. . . _ _ . . , , . . _ _ . _ _ . . , . . . , . . . , _ _ , . _
.. . . . , .. . . . . . . . - ~ . . . ..
.m tree structure indicates that tne tree itself contradicts the text in this "i
area. The tree indicates that all bleed-and-feed scenarios transfer out of
}
the tree to nign pressure recirculation. We believe that the text is i ' optimistic in this area, and that at the very least, substantial operator action would be required to implement tnis cooling mode prior to the need for ]- , 0 - recirculation. In the absence of proper documentation, we conclude tnat ( e recirculation should always be required for bleed-and-feed scenarios. Since } : this is apparently the way it was modeled on the tree, the SSPSA analysis was b quantified correctly. 1 q The SSPSA concined normal turbine trip with MSIV closure into the single event ] I TT on the event tree. This led to the comoination of secondary cooling by startup feedwater and emergency feedwater into the single event EF. These s
; events do not properly represent the plant response. . The normal startup .
feedwater cooling patn is enrougn the main feedwater lines with steam cooling t through the turnine bypass and the condenser, and pump suction from the .d condenser hotwell: in other words, the use of the normal power conversion 1 3 system (PCS) for secondary cooling. However, this path is available only if d , A - the MSIVs are open (normal turbine trip functions sucessfully). Emergency
') j feedwater can function witn the PCS failed (MSIVs closed) since it takes suction from tne condensate storage tank. Thus, the way in whien TT succeeds } !
4 ! has a direct bearing en the availability of secondary cooling systems. This also makes a difference for different transient types. Loss of PCS transients would imply that this startup feedwater cooling path was unavailable. The tree should have been structured with four events: turbine trip (TT), power e conversion system operation (PCS), MSIV closure (MS), and emergency feecwater i ~
/ ; (EF). PCS would be considered cnly for non-loss of PCS transients wnere ]
~! 3-28 i
-4
m turoine trip-succeedec (precluding the need for MSIV closure). This would correct ne present proolem where the different ways of accoglishing TT and E.: as presently defined are not phenomenologically equivalent. . 5 . The tree does not include an event for a transient-induced small LOCA, i.e., a stuck open FORY following a transient initiator. This event should be { included. The probability of occurrence of the event would be the combined rf : prooabilities of .(1) the valves being demanded given the initiator, (2) V f ailure of one of the valves 'to reseat, and (3) failure of the operator to
- {
- isolate the stuck valve by closing the appropriate block valve. A reasonable
- )
"' analysis of this was performed in the Millstone Unit 3 PSS (Ref. 3.2-1).
j ineir analysis estimated tne event probability to be: i P(S2) = IE-2
- SE-3 * .5 = 3E-5 il wnich we consider reasonable and applicable to Seabrook, given the similarities between the plants. (Note: We would have used a higher value for a valve sticking open (4E-2 from NUREC/CR-2728 [Rev. 3.2-2]), but a lower valve for the operator failing to isolate (IE-1 from NUREG/CR-2815 (Ref. 3.'2-n 3), whicn results in essentially the same answer).
- t
'd . The tree considers two separate events for controlling pressurized thermal O l ,3 ; shock (PTS), event OM for control of feedwater and event OP for controlling 1 ;
.) i~
HPI flow. Both of these events are part of the same action, and the key to 1 j this action is controlling HPI, since PTS will occur if HPI is not controlled 3
'j,9 wnether or not FW is controlled, and PTS will be' prevented if HPI is control'.ed whether or not FW is controlled. Separation of these events, wnile t
]f not incorrect in the strict logic model sense, results in the creation of i ( additional sequences for no apparent reason and also leads to an imoroper v
e
% I
. 3-29 mee-.e + ew. ,en.- _ .. e .osus a .
. , .. . . . ,g,. . . . - ...y y.m 7 7 . . . . . . . . . -me r - . . -
- . .~ . . . . - . . . . . . . . ~ . -
a l l
- n. 3 representation of the operator action in the human reliability models. These j
J' events should be comoined into a single event OP defined as One operator j preventing PTS. 1 j For sequences where emergency feedwater succeeds and there are no LOCAs, an event ON is considered wnich represents the need ,for the operator to perform a o) ( plant stabilizati.on and cooldown function in order to prevent CST depletion ,I and core melt prior to 24 hours. This is based on the 200,000 gallons of CST water " reserved" for the emergency feedwater system being used up before 24 d . - J4 hours unless the operator takes some action. We disagree with tnis assumption a for two reasons: first, there appears to be 89 full power seccnds of neat
~
removal capability in the water originally contained in the steam generators
;'I j' at the beginc.ing of the transient. This alone would extend the neat removal '. I f-~, capability beyond 24 hours without operator action. In addition, the CST is a ] '
(. 400,000 gallon tank, with an alarm at the 90'.(360,000 gallon) level. Plant procedures require that the tank be refilled if tnis alarm setpoint is 2 reacned. Thus, the probability that the tank would only contain 200,000 gallons at the time of the transient is negligiole, and credit snould be taken Q j for at least 360,000 gallons. This amount would be fully available to tne J . Si ! emergency feedwater system, since there would be no otner use for it during
'1. i ;.l ! the transient. Obviously, credit for all or only a fraction of tnis extra .! i d cooling capacity would mean that cooling would be available for over 24 hours without operator intervention. We tnerefore conclude that event CN is not f.1 l ,
required for this case. The delection of tnis decision point from the tres q D eliminates a large number of extraneous sequences. 3
-i
" In :ne case of an RCP LOCA, the SSPSA defines event ON as the operator taking
-l 3-30 t
a
- - ee e+ eeee -e-,e- - . + = . . . . .
.e .u,,,_p., m ,m , . .
;yg e e, ,7 y e.-wee - p o- .y g ,esem s . .= -,ee -- v.o,__ _ ee . _
1
- ...... . . . . , - . . . . , . ~ .
t a . action to depressurize the primary and reduce break flow, thus extending ' the
.g time to core melt and resulting in a late rather taan early core melt. Ne b calculations are provided to justify this scenario. Wh'ile it may appear on d the surface that reducing pressure should reduce the coolant loss, this may % not be the case. First, it 1.s not possible to reduce flow by reducing y
pressure, while critical flow conditions exist and in the absence of an
)l analysis it is not possible to determine at wnat pressure critical flow }.) f conditions will no longer exist. Furthermore, acnieving subcooling may result j
y
- in passing water only out the break ratrer than steam, so that there is a concern that mass flow may actually increase during the aggressive cooldown period. We also point out that the assumed flow ratas for RCP LOCA used in 2,
the SSPSA appear to be arbitrarily selected and extremely optimistic (see M
Section 3.2.3.1). Thus, in the absense of furtner analysis, we nust concluce y tnat event OM as presently defined is not capable of delaying core melt in
'j r]
b a tnis case. If ON were redefined to include the requirement for low pressure 4 1 injection (RHR injection mode), we would agree that a late melt would result, gj - Jj since the capability to use secondary blowdown and LPI for small LOCAs in lieu I of HPI has been adequately demonstrated in WCAP-9754 (Ref. 3.2-4).
'h
- .3
! . .) . gj The SSPSA assumes tnat failure of event TT and failure of the operator to
,41 H 6 control feedwater alone witn failure of HPI (either directly or by failure of
.4
- ! the RWST) will result in core melt. This assumption is not realistic. The Q>
f first two failures result in a severe ove,rcooling transient wnien is the first N step towards PTS. However, the HPI failure means that PTS cannot occur.
? ..
; Thus, we are left singly with the overcooling transient. While this is not the most desiraDie condition to be in, the nature of this scenario implies
}
a
! /. - that sufficient cooling (indeed, more than sufficient cooling) is available to
- v 4 .- I i
3-31 L. i
- - - . . . m -- . , . . . . . . , . . ; _, , . ,. _. . . _, _ ,
i
. e prevent core melt. Previous PRAs have not assumed that overcooling results in i
(# core melt, and we have seen no other analysis wnica leads us to a contrary e conclusion. Thus, we conclude that this scenario should not lead to core melt l
,, and the tree is therefore incorrect.
1 i
.}j l.
e I 3.2.2.2 Small 1.0CA (Short term)
- ). .
91 d
'j The ma, lor problem area in the small LOCN event tree involves the operator ' 'A .
action event OM when both emergency feedwater and HPI are successful. For
>- 8 'l this scenario, event ON represents the operator taking the necessary actions ', l to reduce the primary system tamperature and pressure to estaolisn RHR .)
- j conditions. The problem with this action and its subsequent effects is u
twofold. First, the SSPSA assumes that a core melt will result if the operator fails to take tnis action. Thi.s is completely contrary to previous PRAs,-NRC licensing requirements, and FSAR analysis. It is well known that { i f the operator need take no action in this case other than switching to high c' l pressure recirculation following the depletion of the RWST. His failure to 7j ;
,< t J.y meet RHR conditions does not preclude his ability to utilize high pressure s l % i recirculation, since HPR is capable of pumping water at cuch nigner pressures d:' I than RHR. The second problem relates to the assumed effect of tne operator si j i successfully performing action ON, that is, the assumption that this will 1
4 l preclude tne need for any recirculation. This implies that it is possible for the operator to bring the RCS temperature below 2120 F, thus terminating break 3.4 , flow, before the RWST is depleted. Tne temperature nust be lowered tnis noch M i [* i in order to terminate break flow because the containment can be assumed to be p ; at atmospheric pressure, and the RCS will seek to reacn an equilibrium with 3 it. Boil-off and coolant loss will continue until tne RCS is suecooled at .u .
/v~
3 3'-32 in
.s 4
.= .... . , . .
qm _
* 'M g6 y gg g g g g ,g g-gigyg,Q9 , Q., , , q gg e , __
,, pp
. .. . .. .. - - ~ . .
3 i I
.: i ,
atmospneric pressure, and makeup will nave to be continued until this time.
.- It has not been demonstrated by detailed analysis that it is possible to 3
accomplish this at Seabrook prior to RWST depletion, and thus the assumption b that recirculation is not required may be optimistic. In the absense of 3
.i .-
justification,to the contrary we believe that recirculation should be required 4 j -I for all small LOCA events and that the only credit wnich snould be allowed for
.a
.1 the success of action ON is to reduce RCS pressure such that a failure of N. l recirculation will lead to a low pressure melt instead of hign pressure melt. t J
?.
s The SSPSA takes credit for an alternate cooling metnod wnen auxiliary d feedwater is available but HPI fails. This involves the operator blowing down l
,e the secondary in order to reduce primary pressure and utilize icw pressure
- l injection (an operaf.ing mode of RHR) to provide makeup. This method has not
!- been credited in most PRAs, however it is included in some of tne more recent
; ones. Analysis of this technique applicable to Westinghouse plants is
'! contained in WCAP-9754, (Ref 3.2-4) and consider it sufficient to allow credit' 1
,; ; for enis cooling metnod at SeabrooK. The SSPSA is optimistic regarding tnis i
' )) j
- r scenario in one area, however, it assumes that if the operator performs the
'n
; depressurization but LPI is not available for some reason, a late melt will y - occur. There is no justification provided for this and we are doubtful of the y
j i validity of this assumption. This scenario is an injection pnasa f ailure and { n :
;U ., injection phase failures are generally assumed, logically, to lead to an early (4 '
. melt. Thus, we conclude that this scanario snould lead to an early core melt.
!S.
- c ', !
i For tnis initiator, unlike transients, the combining of turbine trip and MSIV i closure into a single event is acceptable since the occurrence of a safety lJ ' injection signal will result in main feedwater isolation, causing loss of the
- l. 3-33 l . . _ . . _ . . . . . . . _ . ..
l .. . . _ . . _ - . . . ,.s...___,. . ., _ . _ . . . , _ . ~ . _ _ _ _ _ _ . _
' l 1
,< l q
.s PCS cooling moce discusseo in the previous section. Thus, enere is no need to
- )
- make the distinction between TT and MS, since this nas no effect on the IJ 4 remaining secondary cooling method utilizing emergency feedwater.
.1 The SSPSA assumes tnat wnen TT fails (overcooling occurs) and the operator f' ,
Eu- i fails to control faedwater that feedwater will be lost. This leads to the ,, d I . 'h i assumption that if HPI is unavailable in this situation, a core melt will 'd ! jj result. We consider this assumption conservative and do not . agree that M failing to control feedwater will result in its eventual loss. In these' +
,j c
) ', cases, credit snould be given for feedwater continuing to function and tne d
] operator depressurizing to allow the LPI mode of RHR to provide the necessary makeup. Given nis is tne case, the events OM and OP snould be comoined into a single event for preventing PTS as discussed for the transient tree.
's f(
( 3.2.2.3 Medium LOCA (Short Term) , 4 , 4 1 , In general, the medium LOCA tree appears to be a good representation of plant
. response to tnis initiator. The only error is that tne SSPSA assumes an early ':t 3 - core melt results in cases wnere injection paase cooling succeeds and the RHR T4 .
M pumps f ail . This is in contrast to the sequences where injection phase 1 j cooling succeeds and the RWST suction valves fail closed (wnich would also
]
i 1 cause tne RHR pumps to fail), where tne SSPSA assumes that a late melt
-]
b 1 . occurs. We see no reason for.this contradiction, wnicn is contrary to
;{i f l i l assumptions made in previous PRAs that successful injection always results in o .
a late melt if recirculation is unavailable. We believe that the former scenario should lead to a late melt.
'; r'
] _/
3-34
.. . . . . . ~ . . . . . ~ . . . . . . . . . . . . _
w, _
~ ,I
<. 1
! ! The other problem involves the consideration of functionally redundant or O extraneous decision points when nign pressure injection is available. If HPI
.q. .
is available, it is capable of supplying all the required cooling in the 'O-{
' .] .
injection phase of the analysis. It is not necessary to consider other actions to provide injection phase cooling in these situations. However, the ja tree considers tne availability of emergency feedwater and operator action to
- n blow down the secondary and depressuriza under these conditions. These events 9]'? }
- p l are not required and do nothing to ennance the sequence model. They serve
. s[ - I{ only to create a greater number of sequences whicn are nominally identical and l j whicn'tnus furtner dilute the core melt contribution of any one sequence. u -) These decision points should have been excluded in order to improve the j insignts gained from the analysis, j
-6 3.2.2.4 Long Term Plant Response ( All Initiators Except Large LOCA)
,q U
i,. i The two long term trees constitute a reasonable representation of plant response in the recirculation phase. The only problem is that the 9 relationsnip between air purge isolation and containment isolation and the effect of containment spray is not made clear. This issue concerns ' k;..; . containment response and source term analysis, so tnat it is not witnin tne A)J b O ! scope of this part of the review. .Thus, we do not believe the tree should be I 's i !Ei ! changed unless at some later time it is concluded that the way in which taese .J .;
-t events are handled fails to correctly model unique damage states.
l '~ l h: ; r{ i 3.2.2.5 Large LOCA (Snort and Long Term)
.a 4 -O There are a number of problems with tne large LOCA analysis. One of enese is 1
V t
- 3-35
( . 7, . r .. ,,_
. . . . . . ~ . _ _ _ . . _ . .-
i i that the SSPSA assumes that there is a need in the long term to switen from l 3
. .j f
cold leg recirculation to hot leg recirculation. The basis for this is a j perception that boron precipitation within the reactor vessel could lead to coolant blockage. This assumption has not been made in previous PRAs, [ si l altnougn we are aware that it is addressed in licensing analyses. We believe i j
.? g this assumption is the result of depending on overly conservative analysis for d,1 j judging the need for this action. This event snould not have been included on .n 1 2 i 1
the tree. hh 9 The SSPSA includes the containment enclosure building ventilation (EAH) system J'3 -l on the tree. We do not believe that tnis system is required to operate for
.ti {
;) I tne long term success of the RHR and CS pumps as stated in the SSPSA. This is discussed in greater detail in Section 3.10, wntch deals with support system I q dependencies. However, even if this system is required, we would not agree L l./
i with the tree structure. First the EAH system is considered in the support
. ! state analysis before the tree is entered, and that should be sufficient if .i 1 'I handled prcperly. If enat were not sufficient, then the EAH system snould t.2 ,
fy have appeared on all the long term trees, not just this one. The way this is 1 5 nandled is inconsistent and generates concern about the proper coordination of o' ;
.j : the various parts of the study. Furthermore, on the branch wnere EAH fails, there are decision points for both RHR trains leading to the same plant damage 3 \
jl} j states. This creates unnecessary additional sequences wnich add notning to T l tne insignts from the analysis. It would be more appropriate to use "5 i.
.s } j (guaranteed failure) at these decision points. This also raises up a concern y .
R, I tnat this treatment occurred in the quantification of other trees for various
', support states, that is, that failure values of 1.0 were not properly applied so as to eliminate meaningless sequences from ne analysis. This issue is '} ,
Q_ 1-36
- . - .. _ _ . . . _ y _ ,.
s - I discussed further in Section 3.11 of this review. Our conclusion, as stated n . i3 ' at the beginning of the paragraph, is that system EAH should not be included i-en the tree because it is not required for the long term success of the RHR N and CS systems.
- 1
- 1 p i 3.2.2.6 Steam t.ine Break (Short Term. Outside Containment) 4 .
d !
.1 1 1
i 0-l f This tree bears a significant resenelence to the general transient tree, wnich d.a 1 is reasonable since an isolated steam line break is very similar in its (,j j pnenomenology to most other transients. The blowdown of tne faulted steam 1a s
- generator (we note that the success state for main steam isolation allows for 1
the failure of one isolation valve) results in a more rapid initial cooldown, which will cause a safety injection signal, but tnis is of little
; consequence. Thus, all of the coments whien were made in Section 3.2.2.~1 for
; tne generalized transient tree are also applicable to this tree, except that I
t . it is not necessary to consider PCS and TT separately since tney would not be l
+
i* available in this case.
~1 Y>
The one major difference between this tree and the transient tree is that on
. k j]
tnis tree there is a decision point for HPI in cases where MSIV closure and kj ; AFWS succeed. The availability of HPI in this case does not affect the final
*( ,
plant condition in any way, since it performs a redundant cooling function not { {! required for transients when secondary cooling is available. We agree that (1 HPI will be comanded to start, but whether it does or not is of no concern. }] iT t i Including this decision point serves only to increase the nunter of sequences i j on the tree without increasing the understanding of the event in any
~
1 ( , meaningful way. Therefore, tnis decision point should not be included on the
!i 3-37 e
i
.i i . - . . . . _ . . . . . ..
_ . .....,_.m......... _ _ . _ , . . _ _
. , . " + j, 3., t . ~ ' . '
- _ . . - . _ . - . . - . . . - . , _ . - - , . - - - - - ~ . . - , - - - . - - - _-
.m tree.
Aj 3.2.2.7 Steam Line 3reak (Short Term. Inside Containment) k j - In our review of this tree, we noted significant differences between it and D' the steam line break outside containment tree whicn we could not explain. d l b} ! There appears to be no real basis for expecting or modeling significant i ! V ! differences in plant response between tnese two events. We can see only two
] actual differences in the events, wnich have even the potential to affect 1 >
plant response. The first is that there will definitely be a blowdown of at s least one steam generator, since ene faulted steam generator cannot be isolated. The effect is minimal, and will result only in a more rapid initial j 3 cooldown whicn will cause a safety injection signal, but this is of little consequenca since one is expected anyway. The second differenca is that tne blowdown will occur inside the containment, causing a pressure increase. However, as- stated in the SSpSA, even total blowdown of all the steam generators (total isolation failure) will not be as serious as the blowdown s assumed for a large LOCA. Again, we may expect a containment spray actuation 7. signal to occur, but do not see why it is either necessary or significant. In
]:.
[: otner words, it does not appear not to supply a needed function for this event I.$ and will nave no effect on the outcome of tne event whetner it works or not q ' (unless a core melt occurs, wnien is another point entirely). l 5.l t Il fl In this context, two major differences in tne tree structure do not seem to 4 d make sense. The first is that baron injection is required when auxiliary 1 feedwater works. There is no justification provided for this, and it is not j ; suppor ed by analysis, or by assumptions in any other PRA wnicn we are 3-38
~ _ . _ . . . _ .
***u-eag menager p- see s s p e. e=om .e e,-. ,e mp geq m ,p,,,,,e g. .gg, .,m , . ,, ,, , . _ _ ,
- y. __,-v -, , -, ,- - , , - -, , - ,,
4 1 '] 3
~
familiar with. We. have no reason to believe that a return to criticality is
< possible considering all the excess negative reactivity inserted following reactor trip. Further, a return to criticality is not in itself a concern in ',,1
'N any case, since the plant could acheive any significant power level. The .. F other difference is that a need for recirculation is assumed. This cannot be h correct since there is no 1.0CA taking place. A steam line break,
- nether
.e3 'fj inside or outside containment, does not result in the loss of primary l4 ';3 coolant. Therefore, there is no need for primary makeup and hence no vi 35 requirement for recirculation.
).1 .y s The only conclusion we can reach given the points in the forgoing discussion is that the differences between the steam line break inside and outside 17 containment trees are not meaningful to this analysis. They do not affect the i c., outcome of plant response scenarios, and are thus misleading. They appear to be artifacts of an overly detailed analysis. We consider all steam line breaks to be sufficiently similar to be represented on the .same event tree. Thus, the steam line break inside containment tree should be eliminated in a d favor of the more accurate steam line break outside containment tree. . ..y ? 3.2.2.8 Steam Generator Tube Rupture (Short Term) 3 9 3 3 ' We believe there are significant problems with this tree. The tree is poorly 9 -
- arranged and demonstrates a lack of understanding of a SGTR event. Major YL
?! modifications must be made to the tree for it to accurately represent plant response to this initiator. X.i
*G
.)
'J i The first problem pertains to operator actions needed to reduce primary m V
.1 i, 3-39 l' ;
i + _ . .
;~.~~
- 7.s* - - _ .. " _ _ . , . . _
pressure under various scenarios. The SSPSA assumes in cases where HPI is available tnat it is not always necessary to control HPI flow in order to reduce pressure. Quite the contrary, allowing full HPI flow (uncontrolled) will always result in an inability to sufficiently reduce the pressure and
]
k-t. terminate break flow because the small size of the . break and the high HPI flow rate will result in RCS pressure being maintained at least at the level of the - N..; y SI pump snutoff head. Thus, if no action is taken, all of tne coolant in the
- 8 j RWST will be pumped into the secondary while the RCS is still at high 9
.g pressure. Break flow would therefore continue after RWST depletion and a core melt will result. This need to terminate HPI'should be included in event OR.
q
~ '
The SSPSA also assumes that failure of event OR does not necessarily lead t' o I i core melt. This assumption is optimistic since, as imolied above, f ailure to
,. reduce primary. pressure prior to the depletion of the RWST means failure to
(. terminate break flow, which obviously means eventual loss of all coolant to J tne secondary and eventual core' melt. Thus, the tree should have been modeled g l1q tnat f ailure of event OR always leads to core melt. 54 Q
. .a fQ Event ON on this tree is said to represent a long term plant stabilization wnica is representative of the concept of "long term industry response" for h sequences where HPI and emergency feedwater are available. This aopears to be 1 '[9 j '
superflous and without substance. The purpose of long term industry response 4 ;
- with respect to the prevention of core melt is not made clear. This event 1 2,;
' ' provides an additional requirement to prevent core melt in already stable
.{.
n situations wnere the operator has successfully controlled RCS pressure and no (
', steam leak is present (break flow stopped, auxiliary feedwatar cooling) and no I' further action is required. This event is also apparently used, incorrectly d] v o .,
3-40
5 m as a means of preventing core melt in situations where the operator fails to control pressure or a steam leak occurs. When the operator fails to control pressure prior to depletion of tne RWST, a core melt will result regardless of G
- l. any last minute industry action. There is sufficient time available for the
.:1
. ,j operator to perform the pressure reduction such that the availability of other i Ej 71 action will not affect the success rate. On the othernand, if the operator
.1 i fatis to reduce RCS pressure in time, ne wiil be unabie to ao anytning eise in
- 1 .
d;> I the short time remaining before core damage. In the case of a steam leak, the C. SSpSA provides insufficient justification to demonstrate that it is possible
] ,
? to terminate break flow prior to the need for recirculation, wnich would be unavailable in this case since the coolant loss is to tne secondary. This is a classic case of an interfacing systems small LOCA, and RCS response would be e
'1 identical to any otner type of small LOCA, as discussed in Section 3.2.2.2.
]
The conclusion in that section, is that recirculation is required for all p'v small LOCAs. Since recirculation is unavailable for this initiator, a core
;l l
melt is reasonably assumed to result, again regardless of "long term industry I - response". 'Thus, we conclude that event ON is extraneous in this context and that no decision points should appear for event ON for these scenarios. M;
.a .
j$ l Event ON is also used as the basis for cnanging an early melt to a late melt Id iA . for tne RCP LOCA case. As with the small LOCA tree, we conclude that this is '.9 1 mildly optimistic at best and that taking credit for any perceived cnange in ~ l ffj plant damage state is unjustified without additional supporting analysis. .d N Thus, event ON is not required for this case. Since the last two paragraphs m i.2
=
- J.j>
discussed the only uses of event ON on tnis tree, and in both cases it was concluded enat it was not needed, event ON can be completely removed from the n a (. tree. We would, however, agree tnat a late melt would result if operator
- 3-41 i
l [, . .. . _. . . .
. duissiehe* ,w_ .,g.g- g., ,. , _ _ ,
%W g( PW **9=h-9
, , , ,,._ _ _ . . - . _ _ _ . . , , , . _ _ _ , . . _ _ . - ,, ,.___.__._._._,m _ , _ . , _ _ , - _ _ . _- _ __ _ _ _ _ _ _
. . . . ~
., action 00 (secondary depressurization in this case) were concined with success
. )
' of RHR in the LPI mode, and the tree should have included this.
o q
- In a similar vein, credit is taken for being able to avoid core melt in x
,I situations where HPI has failed and a steam leak occurs. In this case, operator action 00 is used in conjunction with low pressure injection in order
'! to depressurize the secondary, wnich depressuri:es the primary, allowing LPI
.[l ;
to replenish lost inventory until break flow can be stopped and the plant cooled down using RHR cooling. As before, the question in this case is - d 9 . G -' whether the primary pressure can be reduced below atmospheric before the RWST is emptied, since the occurrence of a steam leak creates a classic case of an 1 interfacing systems LOCA. Since the, SSPSA does not provide sufficient '
- l, justification to demonstrate that this is possible, we conclude that this
- scenario should lead to a late core melt due to RWST depletion and lack of
~
recirculation cap' ability.
~
.T, i
Finally, the SSPSA assumes th.at failure of both auxil.iary feedwater and bleed-
]
and-feed will result in a late melt due to the effects of steam generator $e , ,{ inventory. This is contradictory to the results of the identical sequences en the transient and small LOCA trees. On both of the other trees, failure of both of the cooling methods results in an early melt, which is in keeping with f.a i the logical, and generally universal assumption in other PRAs that total loss l .]h i of all short term cooling will, result in an early core melt. It is possible
- l. .
- i). to view the phenomenology of a SGTR event as "between" or " bounded" by the
' C.. phenomenologies of tne other two initiators for this sequence of events. That u
- L;,
l is, it is more severe than the transient since some coolant loss is involved i.
': but less severe than the small LOCA since the coolant loss is to a higner
, {,
!J , 3-42 "A
. m. -~ - _ . ,
l .- _ .~ .g, . . - . ,,s .
,,,. w, , _
~
i
.i .
i I 1 i - downstream pressure so that the core melt timing would not be significantly different for tne SGTR sequence. We therefore conclude that enis sequence snould result in an early core melt. i 3.2.2.9 Anticioated Transients Without Scram
'i. !
- ].; i 1 j We have rev' i ewed tne SSpSA analysis of ATWS, giving special consideration to 1 . .
the escantly released NRC ATWS rule (Ref. 3.2-5]. In performing tnis review,
; we were not constrained to accept the new rule in its entirety, but used it to provide guidance and information. Significant problems were identified in the
' ATWS tree. The tree is poorly done and considered unacceptable. The entire n .
. tree .w s: be redone in order to get a reasonable assessment of tne frequency a of tne various plant damage states due to ATWS. This section discusses the G justification supporting tne selection of particular viewpoints for particular V
ATWS issues. I The SSpSA gives' credit to the possibility of operator action to effect manual H) i q reactor scram following automatic scram failure. This action, however, is not modeled explicitly on the tree: it is applied directly to the failure of RPS 3 i leading to ATWS. We believe it is valid to consider tnis type of recovery, 44 1 J but believe that an action of tais import snould nave been incluced explicitly a k :* .on tne tree. It is also important to make clear enat this recovery action can 1 only be applied to electrical failures of the RPS, so that RPS failures should f have been divided into electrical and mechanical failures as in the ATWS rule, '3 with one difference: the rule defined electrical failures as including tne 1
- l. breakers, and we would define it as failing to produce a trip signal at the
- V e
- 3'-43
's
. g . - . ...._,_~,.__._.a._...._.. .
i
.i l breakers. This is based on a detailed analysis of a Westinghouse RPS as part 3
. ,/ 4 l l of the Ringnals PRA [Refs. 3.2-6 and 3.2-7] wnien is the most detailed
'i protiabilistic/ fault tree analysis of tnis system known to us. Other PRAs have generally performed very simple analyses or used generic RPS failure O'. ; numbers. The ATWS Rule used a very siglistic screening analysis for its RPS ci i failure probacility estimate. The Ringnals analysis showed that the total RPS I
d.I failure prooability is about 3E-5 per demand and that about one third is due i j to potentially non-recoverable (in ene snart term) comon mode breaker faults a s j f (mecnanical) and the remainder consists of recoverable (by manual scram) 3 electrical signal faults, oftest combined witn test outages (also recoversale
.g i . ] .
by manual scram). Comon mode control rod and drive failures did not j contri bute. Since this analysis is men more detailed than the one in the ATWS Rule or tne SSPSA, we feel it conclusions should be utilized and a manual 1 recovery credit applied to electrical failures only. ] ,
.! ! The SSPSA next considers the initial power level, stating that power levels 1 !
j less than 80% will not cause hign pressure spikes. This event is not required A . j . since we assume all our initiators occur from 100% power. Tne SSPSA fails to ik i E 2 consider, however, that the moderator temperature coef ficient (MTC) changes
.d 1 f with time and that its effect on the pressure spike is dependent on turoine v .
j'l j trip success or failure. The SSPSA performed its pressure spike analysis assuming a moderator temperature coefficient valid over 95% of core life. It
- ,1
/j ,
should have, instead, considered the fraction of time during the cycle life g i 4 that the MTC is " unfavorable", that is, when it results in an unacceptably nign pressure spike. This was done in the ATWS Rule, and we consider it to be
., a more realistic approach. This fraction is dependent on the occurrence of l e h turbine trip, so tne turoine trip event must be considered first. The ATWS 3-44 o
% MM W 4. e 6 g an.
* 'W **
- 4D mam g%< g g e- pg g g e gem. _. g ege$gpa mg gg g,g e 9 -.m- eagp p pq 9 . p g esp .g.y gy m, esgay, a p g, a ,a g gg _
. _ _ . _ . . _ = . _ _ _ . . .
k l Rule also concluded that whenever extreme overpressure occurred, defined as 3 i exceeding Service Level C, core melt would result. While tnis is likely to be
,A
-l conservative, the uncertainty of RCS performance at these pressures leads us i
j to conclude that ,tnis is the most reasonable assumption to make at tnis time, as opposed to the SSPSA assumption tnat severe overpressure results in a small LOCA. Thus, all sequences where MTC is unfavorable lead to core melt. One il I, additional point on the subject of turbine trip is that both the SSPSA and the u ! 1 - ATWS rule assume that electrical failures of the RPS will result in failure of automatic turbine trip. This is not supported by the Ringnals analysis, which "1 . showed that the dominant electrical RPS failure modes did not directly cause h][ tureine trip failure, and that at least one additional failure would be required. The SSPSA snould also have assumed tnat Seabrook will nave a diverse (independent of RPS) turbine trip, since the ATWS Rule will require p it. Thus, a turoine trip failure probability should be applied for all
. s.s initiators under all conditions. .
i , The SSPSA assumes that it is necessary for the operator to shut down the reactor after tneinitial phase of the ATWS. This is reasonable, consistent Z ] with the ATWS Rule. However, the SSPSA assumes tnat this action cust ce taken
,{. within ten minutes, wnicn is very conservative. Once tne initial pnase of tne
- s. , ,
ATWS is over, the power equilibrates at the secondary heat demand and the plant will operate safely for extended periods of time. This is supported by
})
2 I many analyses and a simlator run performed for us on the Seabrook sinulator d during the plant visit of August 29-31, if 4. We believe enat time frame is
- 1 more on the order of 60 minutes or more, but 60 minutes is reasonable except
.h I wnen a primary safety valve sticks open or the ATWS tree is entered from a
< LOCA initiator. In this case, a 20 minute time frame is more appropriate.
s,. .. t 3-45 i-t .
- t. . .. ~. _ . .... _ , ,_ .. _ . .._..
~
-i ,
Manual inititation is required for both cases, as shown on the SSPSA tree. Additionally, tne SSPSA represents this whole procedure on the tree with three j events. OH (operator borates), HP (HPI functions), and ON (need for "long term
.3 stabilization"). We consider this table unduly confusing and better nandled
'I
' with the one event OH, which would include HPI. Once this.is properly j performed, the ATWS is over and the event is either success (non-LOCA case),
or proceeds in the manner of a normal small LOCA. No additional , p l "stacilization" event is required, as previously discussed for other trees. d [.
, The SSPSA also assumes 'tnat it is possible to mitigate an ATWS by using bleed- }4 "1 ,
j and-feed with HP! only if emergency feedwater fails. This would tneoretically
! provide boration to snut down the reaction simultaneously with bleed-and-feed cooling. This method has not been considered in most other PRAs, and appears questionable since it is not clear how much coolant can be pumped in under the O conditions which would be present' and how long it would take' to effect shutdown. This assumption takes an inordinately large amount of credit for i '
the ability of HPI to provide flow at operating pressure. It would seem that m{j
- at best only the charging pumps would be capable of injecting any coolant at l',j I all, as the pressure should be too high for the safety injection pumps. Also, i.i Q .' there would be ruch greater amounts of heat to be removed through the PORVs N !
with makeup flow than for a normal bleed-and-feed scenario. It is not clear j , now this heat can be removed and the reactor shut down under these conditions '1 , ' without help from the emergency feedwater system. We enerefore, conclude that lb I t all sequences with failure of emergency feedwater snould all to core melt. lJ4- #
+. +
l -l., The remaining events on the tree are concerned with long term cooling and
~
snould be structured as for a normal event, since the ATWS condition has seen (J .
^
3-46 J
. 7. - s ., p ,. . v - - . . . _ . . . . _ . . , , . . . . . ..
f .
.: s l ,
tarminatad. Thus, tne remainder of each sequence behaves like any other
~
yj i icci dant. This is treated properly in ene SSPSA since the ATWS sequences
; transfer to the same long term trees as the otner events.
j 1
$ I 3.2.3 Issues of Ircor*ance to the NRC e
},
d;j I In their instructions for this review, the NRC listed certain issues whica
=r j were of concern to enem. They wanted to know now these issues were treated in
{
!. i the SSPSA. This section discusses the issues wnich affect the event tree j:} analysis.
T.) s
- q d -
3.2.3.1 Recirculation Pumo Seal Failure Ouring Station Blackout i1
+ .
.; This event is explicitly considered on :he generalized transient tree. The SSPSA assumes tnat a RCP seal LOCA will occur imediately upon loss of all AC i power, and that the leak rate is 20 gpm per pump. We disagree witn botn i assumptions. First, it is not reasonable to assume a leak will occur .
b imediately. Both actual experience and NRC analysis snow tne seals able to f?
.$1 remain intact for 30 minutes. Experience also snows that the seals may ce
- d. able to survive up to one nour. A sirgie analysis was performed in the If,j Ej . Millstone-3 PSS Review (Ref. 3.2-8], and we feel that the conclusions therein hi ~t fj j are the most realistic way to represent the RCP LOCA. They are as follows:
.1 3 h
A M - - no LOCA will occur if power is aestored witnin 30 minutes,
':M ,i
- }
2 - there is a probability of 0.4 enat a LOCA will occur if power
's e stor 4 'a :n 3o-6o =4""t ' rc== 4"4 ,i O -
3-47
- . -__e . . . . _ - . _ . . . , , , , . , . . _ _ _ . . , _ _ . _ , _ . ,
e
l '6 i iq
- a LOCA will certainly occur if power is not restored within .!i
- 60 minutes.
3
.i Of course, this is not a perfect representation since a simple step function .1 ' ,
cannot possibly accurately represent what should be a continuous 7 d f {;j distri bution. However, it is more realistic than the instantaneous step
- h. function utilized in the SSPSA.
5} ij ! 9a . The extremely low flow rate used in the SSPSA unrealistically extends the
.k occurrence of core uncovery and damage for a long time. The SSPSA assumes a i
20 spm/ pump flow rate when NRC (and other) analyses have cited flow rates for 1 total seal failure as 300 gpm/ pump. Even ene SSPSA mentions this figure as
- i the upper bound flow rate. We believe there are good reasons to assume that
'( p V. . . 7 , once the seals fail, they will rapidly accelerate to total failure since they are in a degraded condition under high mechanical and thermal stress. We also believe it is more realistic to assume the higner flow rate soon after the 'l . occurence of the LOCA. Under this assumption, core damage is more p)
, realistically assumed to occur two hours after the station blackout, as q
j; assumed in most other PRAs and analyses. Thus, failure to restore power W
- witnin two hours results in a core damage sequence in any station blackout le : -
i;1 scenario. s 9 .t .? .
- 1 >
g , These points are also discussed in Section 3.5.2.10, which is concerned witn ua .
'lt tne human reliability analysis of AC power recovery. ,, 3
': { 3.2.3.2 Geoletion of DC 9atteries During Station Blackout 1 i 3-48 i-
.m <
h This issue is not considered in detail in the event trees, however it is
-! treated in the analysis of recovery of AC powei. This is discussed in detail
- ts J in Section 3.5.2.10.
9
- .{
- hl ! 3.2.3.3 Pressurized Thermal Shock il d
4e
}l i
j j. The SSPSA treatment of pressurized thermal shock (PTS) is the most t *
'n i comprehensive ever seen in a PRA. PTS is included directly on eacn tree for 'h i b i wnich it is applicable, and its treatment is reasonable except for the items I
I.I j ! discussed in Sections 3.2.2.1 and 3.2.2.2. i 1 3.2.3.4 Steam Generator Tube Rupture (SGTR) with Stuck Ooen Secondary Steam
-j Relief Valves (SRVs) a.O ;. j r
' j; This event is modeled directly on the SGTR event tree as the steam leak [ - event. It explicitly models instances where the occurrence of a steam leak @M alters the phenomenology of the scenario and complicates the event sequence,
- Py Q ] altnough, as discussed in Section 3.2.2.8, there were problems with the is f,. handling of the effects of a steam leak on the occurrence of core melt. The j
t]g ; j;j ' SSPSA also considered steam leak for its effect on plant damage states, and
- 9) t j j had specific plant damage states to account for this scenario.
p , ee . AN :
'!.j 3.2.3.5 Anticipated Transients Without Scram ( ATWS) s
' ,' i
*1 Tne analysis of ATWS is handled expilcitly on its own event tree as a N .;
consequential event following eacn of the initiator classes. Eacn of the 4 i, 3-49 1 l . , . _ , . , _ _ _ . , . , . _ _ . _ . . , _ . . . . _ . . _ . . . .. L.
i , event trees for the various initiators has an irnplied transfer to tne AT'AS tree for a failure :o scram. Our review of this ATWS tree is describec in s Section 3.2.2.9. 3.2.3.6 Stuck Ooen Primary Safety / Relief Valve (S/RV)
"I l
]
- This event is not properly treated on any of the non-LOCA trees except the ATWS tree. Our coments on tnis issue are contained in See:1on 3.2.2.1. -
I .
-i i t
a f . o i
;, n. .
j ks' i _ Q. 5 l-4 i 'i l ! 1 '!j -
- j-i l 3-50 l
l l-
i ,
,. _s- 3.2.4 References for Section 3.2 .i l
O
- 3.2-1 Northeast Utilities, Millstone Unit 3 Probabilistic Safety hj ; Study, August 1983.
.i g . .. .. ..
l 3.2-2 NUREG/CR-2728, Carlson, 0.0., et al, Interim Reliability Evaluation j ; Program Procedures Guide , January 1983. a j 3.2-3 NUREG/CR-2315, Papazoglou, I.A., et al, Probabilistic Safety
'i .
1 Analysis Procedures Guide , January 1984. I
^
3.2-4 WCAP-9754, Thompson, C.M., et al, Inadequate Core Cooling Studies of gs . Scenarios with Feedwater Availabl e, June 1980.
')
l : 3.2 SECY-83-293, Felton, J.M. to S.J. Chilk,10CFR50, Reduction of Risk g j from Anticipated Transients Without Scram ( ATWS) Events for Light-
'- Water-Cooled Nuclear. Power Plants, December 1983.
k 1
' 3.2-6 NUS Corporation, Ringhals Unit 2 Probabilistic Safety Study.
' h. I 3.2-7 Amico, P.J., " Fault Tree Analysis of Westinghouse Solid State 1 Protection System Scram Reliability," Proceedings of the 19
},i International Meeting on Thermal Nuclear Reactor Safety, Septameer a
ifl 1984
'I'I
( s ,/ 3.2-8 Garcia, A.A., et al A Review of the Millstone-3 Probabilistic Safety Study, May 1984 i . 1 l 3-51 j ' 'r
.._,.g ~ . . . ,
4 -- - , . , . , , . . , , - . , . -
~
3.3 SUCCESS CRITERIA The functional success criteria used in the SSPSA for the functions of Emergency Core Cooling Early, Emergency Core Cooling Late, and Containment [ Heat Removal are shown in Table 3.3-1. This table includes most of the i success criteria used in the SSPSA and virtually all of the meaningful ones. l It was relatively difficult to compile this table, since the SSPSA did not l , display the various success criteria in a concise manner. These criteria were
- spread throughout the event :ree development part of the SSPSA, ano in some cases in other areas of the report. The SSPSA included little, if any discussion of success criteria in a functional sense, generally discussing
'j them only at the systems level, so that it was necessary to deduce The 4
,s functional success criteria' from the event sequence , diagrams and event tree .: \~
models. Review of the functional and systemic criteria determined that they i, . are generally reasonable, with some exceptions. Where the criteria differed from criteria used in past PRAs on similar reactors, an examination of the
] bases of the criteria was undertaken to determine if they were valid. Some of
- .M these are discussed in the section on event trees (See:1on 3.2 herein) sinca i
they directly affected the event tree structure. Although the documentation in the SSPSA in many cases contained insufficient justification or references to support the criteria, the review team was able to verify the criteria in some cases based on experience and-through the use of reference. material known to us but not cited in the SSPSA. A summary of our findings for each function evaluated is discussed below. 3-52
.- . . .~. -
3.3.1 Emergency Core Cooling Early
.:9 3.3.1.1 Power Conversion System During Transients
; The SSPSA does not take proper credit for the use of the power conversion I
$ system to provide cooling during transients. This problen is discussed in ,
; Section 3.2.2.1. The PCS should be included as a valid success criteria in I
place of the startup feedwater (SFW) pump, which should be considered part of
, . PCS.
t 3.3.1.2 Bleed and Feed Cooling The SSpSA assumes that bleed and feed cooling can be used for transients, small LOCAs, steamline breaks- inside and outside containment, and steam f .
\
generator tube ruptures (success criteria (c), (b), (e)", (c), and (b), ~
. respectively, in Table 3.1-1). These success criteria appear to be reasonable I based on prior PRAs and generic Westinghouse analysis in WCAP-9744 [Ref. 3.3-1 . ] 13 J} :
4 3.3.1.3 High pressure Injection During Small LOCAs i i
- The SSPSS assumes that any one-out-of-four HPSI pumps are capable of providing l
- l. this function during small LOCA events. This is not consistent with standard FSAR success criteria, but is generally supported by analysis in more recent PRAs (e.g., Millstone 3 PSS [Ref 3.3-23). It also follows from the bleed and feed analysis discussed aoove, that is, if one pump is sufficient for feed and g- bleed it should also be sufficient for small LOCAs, at least from tne s-.:
e l 3-53
. .o y >e.em om .e e m= . +-~eeew a y.e ,e - , .. N- m , . . soee* = wa -e = -,e* * .~ ~ e pa e.
- we
standpoint of flow rate, since the equivalent break size is smaller. However, this break size advantage can also be a disadvantage in certain cases. Analysis in the Millstone 3 PSS indicated a potential problem with breaks at the small end of the size range which result in insufficient depressurization
; of the RCS, so that pressure remains above the shutoff head of the SI pumps, j -
Thus,. for some break sizes, if only SI pumps are available (i.e., charging {
; pumps have failed), it may be necessary for the operator to open a PORV in j $ order to lower the RCS pressure. In order to remove what may be an optimistic 1
-! .! assumption, we believe the success criteria should require either one-out-of-
' two charging pumps or one-out-of-two safety injection pumps in comoination j
) I with one-out-of-two PORVs. Ideally, this should apply only to a subset of small LOCAs at the small end of the scale. However, no analysis available to us defines the break size or flow rate wnere this begins to be a proclem, so l - the revised criteria should be applied to the entire break size range.
l ('
~
j ; 3.3.1.4 Injection Cooling During Medium LOCAs s The SSPSA assumes that this ' function can be accomplished without the neec for
@t l.
? , accumulator injection, contrary to the assumptions of previous PRAs which have !.t I f ' s j assumed that accumulators are required for break sizes in this range. While ~ i it is obvious that this is probably true for breaks at the lower end of the cange, which would be similar to small LOCA feed and bleed conditions, it is
' not clear that this would also be true for larger breaks. A plant specific calculation performed for the Millstone 3 PSS [Ref. 3.3-23 determined that only one HPI pump is required over this break range, in conjunction with three accumulators. Although this assessment may be conservative, it is the most recent detailed analysis of this break size for plants similar to Seacrook.
j 3-54 l
< . . , . 7- p.... ,,c -.- .b ,y.w,..- - ---. . _ , . 4. . .
s
/
For this reason, and the fact that no justification of the Seabrook success criteria is provided in the SSPSA, we believe it appropriate to apply the j Millstone 3 success criteria to Seabrook, and therefore to require .i* accumulators for medium LOCA injection cooling.
.:i .i - ; 3.3.1.5 Injection Cooling During Steamline Breaks
- 4
- ' The SSPSA uses entirely different success criteria for steamline breaks inside
- l
.] and outside containme'nt. This appears to result from an erroneous analysis of
.i
'l the inside containment case, discussed in detail in Section 3.2.2.7. Herein.
! '4e believe it appropriate to apply the functional requirements for the outsice i
containment case to the inside containment case. 1 _ 3.3.1.6 MSIV Closure for Steamline Break Inside Containment "
.i 1 -
'l The SSPSA states that in order to prevent multiple steam generator blowcown
'! for this initiator, three-out-of-four MSIVs must close. This is incorrect.
k In this case, there is no way to prevent blowdown of the affected steam
?j ifJ , generator, and the only way to prevent multiple blowdown is to isolate the
( other three steam generators from the affected one. This means that the MSIV j j success criteria for this case should be closure of either one-out-of-one
'l -
MSIVs on the affected steam generator or three-out-of-three MSIVs on the d j unaffected steen generators.
] 4 3.3.2 Emergency Core Cooling Late 4
1 3-55
-p.-. - - . -. . --
}
3.3.2.1 Secondary Cooling for Transients and Steamline Breaks 6 3
,- The SSPSA assumes a need for operator action a long time into these events in order to mai.itain secondary cooling ability. This assumption is overly
- M.4 conservati e, for reasons discussed primarily in Section 3.2.2.1. This 5
y requirement should be removed from the success criteria. il j 3.3.2.2 Residual Heat Removal For Small LOCAs 1 i
-j The SSPSA assumes that it is possible to avoid the need for recirculation for I
I this initiator by providing cooling entirely through closed loco RHR cooling. This is an overly optimistic assumption, as discussed in detail in Section 3.2.2.2. No credit should be given for this cooling method. r 1
-f 3.3.2.3 Long Term Cooling During Steamline Breaks 3 ,
The steamline break inside containment success criteria should be eliminated
?l in favor of the outside containment case for the same reason discussed in N
, . ,, Section 3.3.1.5 for the injection cooling success criteria.
Q
,.}
3.3.2.4 Long Tenn Cooling Ouring SGTR with Secondary Steam Leak 5 0>
-d 1
' The SSPSA assumes that it is possible to provide this function under these l conditions. This is an overly optimistic assumption, as discussed in detail in Section 3.2.2.8. The prevention of a late melt during SGTR snould in all
. cases require that no secondary steam leak be present.
3-56 i
. . . - . . . .......-.....n.._..w.. ... . . - - . . . . . - - . . ,
l-
+ . . . - ... . . : .
2 1 7 i / 3.3.2.5 Ocerator Action Durina SGTR e
.9 l1 'l - The SSPSA assumes that operator actions to control various facets of the RCS 1- and secondary pressures / flow rates is not always required. This is not ')j g correct for reasons discussed in Section 3.2.2.8. It is also important to . note that the "Op. Act." required in the SSPSA is not necessarily appropriate in form, timing, or content. This is discussed in detail in Section 3.5.2.7. ~i 't I 3.3.3 Containment Heat Removal
'J .i
~
The success criteria for this function is reasonable and consistent wi n the plant FSAR and previous PRAs. q , V, 3.3.4 Revised Success Criteria A revised set of success criteria, which are based on the discussions above, are presented in Table 3.3-2. ,j : 3.3.5 References for Section 3.3 y N~ ! il !k
- 1;.
e f
*i ': ./
n 3-57 ir NMU 8 . '4 . .O 6 See &W4 . .. .*. ....ae .d-e- * .*
. , * . . . . .w. .. .,m. ... . .-.,4 4-.. -= e+ * * - ~ + .*-* ~ .e ->
l
' REFERENCES for SECTION 3.3 m
w
.6 i
3.3-1 WCAP-9744, Tauche, W., Loss of Feedwater Induced Loss of Coolant
'b Accident Analysis Report, May 1980.
1
.,h
~sl . J. 3.3-2 Northeast Utilities, Millstone Unit 3 Probabilistic Safety Study, jI . August 1983.
.- 1 .'a, . ." N *h b
e t i 5 0 0 .~. ,
' . s D .
+
0 4 .i* .
;i
.~ ','f .' t e \ .J., s le
,u ;
j . t -
.- I ~ ,'1 t .i '
d 4 ' O l i
- is j l 'l j fS l.II l
l .l . 6 I 3-5a i
.i
( . . . . . _ . . . _ _ . . . .. _. . . ,
. . _ ~ . . , . _ _ _ , _ . _ _ . . . _ _ . . . _ . - . . . . .
=
a._ . -. .. . . . . i TAata 3.3-t Seabroek Staties PSA resettesal Sessees Crtteria i
' tearseecy Core teergemey Care Caetatsseet Seat taaeval
(%/ taktister Coeling tarir Castle 6 Late
.o e 5 Treseteet (a) t/t SW (a) t/t SW + Op. Act. (a) 1/2 C3 or or (cere melt sequences only)
- (b) t/2 EN (b) 1/2 E N + Op. Act.
er er (c) 1/6 est + 2/2 Potv (c) t/2 RPSt
- }:. . .
** Ses11 (a) 1/2 EPW
- 1/4 WSI (a) 1/2 EN + 1/A WS2
- t/2 SR Saes d er er
.i$ , thCA (b) 1/4 WSI + 2/2 PORT (b) t/2 EPSE 4 or or f.j (c) 1/2 EN + SSR
- t/2 LPSI (c) t/2 EN
- SSR + 1/2 f.PSE
,. 1, i? -
Medim (a) 2/6 nPSI (a) 1/2 EPSE Saes ..q er .c ., IACA (b) t/2 EN + SSE.+ 1/1 LPSI (b) I/2 EN
- SSR
- t/2 LPSR Large (a) t/2 175I + 3/3 Acc (b) 1/2 LPSR Smen, het alae
.I alloseble for 'I 1ACA see-core salt ii sequeseee (to prevent este molt) d 4I -
Stemellee (a) 3/4 MSIT + 1/2 EN (a) t/2 EN
- Co. Act. Saes or or Brest (b) 1/1 MDEFW (b) 1/2 USE er
, , (Osteide) (c) t/4 EPSI + 2/2 Pot?
j y- Steenties (a) 3/4 MSIT + t/2 EN * (a) t/2 EPSE Sees
', 1.4 EPS!
t treek er 4 (b) 1/1 teEPW + t/6 EPSI (b) t/2 EPW
- SSR + 1/2 LPS4 3
- er j '
(1eetde) (e) 3/4 ret? + t/2 EN *
, SSE
- t/21751
..o or ,, ,a , (d) t/t tetFW
- SSR + 1/2 LPSI (e) t/6 EPSI + 1/2 P087 f ,
. t ScTE (a) t/3 S/tp
- t/4 EPSI (a) t/3 S/tFW + 09. Act. Saes W '
er er
*. ; (b) 1/6 EPSI
- 2/2 Pot? (b) t/2 aut
, or er , g (c) t/3 S/tPU
- Op. act. (e) t/2 eSt t
-i j M
y 1
.v t .sl i ,-
4 e v e t 3-39 I !
.j
+.ew eper ee q,.ge r o. , *=e w ..ov..+. +y.+'. Ng -u ** **** N e*
NSP ' * " * " * * * * * ~ ' " * * *
. . , . . .a .
.m_.
TAsta 3.3.2 i tevised Seehrook Station Peactianal Succese Criteria
.,~
,D
~ toergency Care Emergesey Core Contalement Zettiseer Coeltog tarly Cao11eg Lata Esat Removal
*lr- 1
; Transient (a) PCS (a) PCS (a) t/2 CSE ]
.j (b) t/2 EN er or (b) t/2 EN (core sett sequences only)
)
4
's or or ;j (c) 1/4 EPS2 + 1/2 Post (c) 1/2 EFSR
- =
,' ~
Smeti (a) t/2 E N + t/2 CF (a) 1/2 EPSE Same F er ee . LOCA (b) 1/2 EN + 1/2 SIF + (b) t/2 EN + S$1
- t/2 LPSR
[.f,
- ' 1/2 tott N ee
- ,-j (c) t/4 sys!
- 2/2 P089
[-1 (d) t/2 EN
- SSR
- t/2 LPS2
. .)
v,. 7 Medi e (a) t/4 EPS2 + 3/3 ACC (a) 1/2 EP51 Same
~' . of or 4 LOCA (b) t/2 EN + SSR + 6) t/2 EN
- SSE
- 1/2 LPSE
'f t/2 LPS2 + 3/3 ACC Large (a) 1/21752 + 3/3 ACC (a) 1/2 1251 Same LOCA
- 6, Steamiles (a) MSIT*
- t/2 IN (a) MSIT*
- t/2 EN Same er
.'$ Break (b) t/1 haEN (b) t/1letFW ,j (c) 1/4 5F52 + 2/2 Post (e) 1/2 EPSE SETE (a) t/2 EN
- 1/4 EPS2 (a) 1/2 IN + Op. Aet. + po .5L Same or er (W 1/4 Erst + 2/2 Post (b) t/2 Erst + Op. Aet. + se SL (e) 1/2 E N + op. Aet.
].3e
- See Secties 3.3.1.4 Y
k b at tl
- 1
- f
.'. t . . l A
s M t ri
?. ..
i
'T I
.N 1' . .
v
.t 4
! 3-40 i
I
- - . . ~ . , _ .- .. ,... . ,, . . . . . _ . . . ,, __. . - -- . - ---.
-- - , - - - - *-.--___ m
3,4 SYSTE.45 l
- ~)
c 1 This section presents the results of our review of the system descriptions and analysis performed for the SSPSA. The system descriptions were reviewed for J adequacy in supplying the appropriate information to enable us to verify the ik systems success criteria, models and analysis. The system analysis was 3 reviewed for model accuracy, validity and completeness for quantifying system
) ;1 response and accident sequences. '1.
A ' 1 Fj The system analysis for SSPSA was performed for " front-line" and " support
'I - systems. Front-line systems are considered in the event tree top headings for 1
~ the analysis of the various initiating events. They are designed and required for accident mitigation. Support systems are considered in the event tree developed for an auxiliary system. They are needed to provide power, cooling,
~
actuation and support to the front-line systems. 1 a
'i The system descriptions and analysis were provided in SSPSA Chapter 7 and Appendix D). The auxiliary and front-line systens analyzed for the SSPSA are listed below:
f AUXILIARY SYSTEMS
- t
.i .
.s Lj SSPSA Section Appendix System 7.2 0.2 Electrical Power System (EPS)
/' 7.3 D.3 Service Water System (SWS)
,; ..s 3.4-1 L-
- s j 7.4 D.4 Primary Component Cooling System (PCCS)
Os ! 7.5 D.5 Instrument Air System (IA)
-7 .. e j 7.6 0.6 Reactor Protection System (RPS) .1 ~ 'N .
Solid State Protection System (SSPS)
}} Emergency Safety Features Actuation .s 3
N- . System (ESFAS)
! ; 7.7 0.7 Containment Enclosure Air Handling d) i fj j Systan (CEAHS)
FRONT-t.INE SYSTEMS e 3 4
]i 7.8 0.8 Emergency Core Cooling System (ECCS) cj 7.9 0.9 Emergency Feedwater (EFW)
- - j p 7.10 0.10 Reactor Coolant' Pressure Relief J
7.11 0.11 Main Steam (MS) . 7.12 D.12 Containment Building Spray (CBS)
'i ,J 7.13 0.13 Containment Isolation System (CIS) c
'I]s D.14 Control Room Heating, Ventilation, and
..a Air Conditioning (CRHVAC) m
'N i.h Each system was modelled using a reliability block diagram (R80) instead of f; i the more traditional fault tree model. In the SSPSA, R80's were contructed
]
a
- ( using a set of supercomponent blocks. Each supercomponent block is a collection of components in series. Typically the failure of any component l within a supercomponent block will fail that block, however, in the SSPSA, j some blocks represented combinations of component failures. The RBD's were h then used to develop, by inspection, logical expressions for system's failure 3.4-2
'i
.l.____ - . _ . . . . . . -
...,.m _ - - , . . _ . . . _ . . - - - - - . - . - - - .
I
! dependent on the specific initiating event, boundary conditions and required 1
l C3 systen function. The logical expressions were used to quantify the system's
.i .j failure response for each initiating event.
kl ' The supercomponent blocks were first quantified using the DPD2 and STADIC 1 . ] l i computer codes. Once the blocks were quantified, the logical expression for the system was then quantified using the same codes. The result of the system d. 1 l y l analysis for the SSPSA was a set of numoers that represented the systems ,1 Iq failure response. The mean unavailabilities determined in the SSPSA for each - '::j - system and initiating event are given in Table 1.
- 1 . .
b} 1 Tne beta factor method was used to analyze corson cause failures in SSPSA. Beta factors were derived for specific connon cause failure types wnere data i was available. When beta factors could not be derived a " generic" beta factor C of 0.125 was used. A further discussion on beta factors is given in the
. r section on data review. .
The review results for each system listed above is given in the following subsections, 3.4.1 - 3.4.13. Each subsection is divided into three parts. j The first part contains a brief discussion of system configuration and
- .h, f,.] ,
response during accident situations based on the SSPSA systen description and s. j the Seabrook FSAR. The second part discusses the RBD system model with
~i , respect to the its configuration and intended function. Our evaluation of
- 1 .
d each R80 model considered the consistency between the system model and its f',. success criteria. The SSPSA treatment of test and maintenance, human errors 1 and common cause failures was also evaluated. The last part of each 1 subsection contains comments and Conclusions reached during our evaluation of
- i 3.4-3
. i i
.s the systems analysis with respect to accuracy, validity and completeness.
. O-a d In general, the system descriptions and models adequately represent the l configuations and response of the systems analyzed. The RSD analysis v
' technique, however, is less detailed than fault tree analysis. The use of J<
a
." RBO's to derive logical expressions is more of an inductive than deductive, o
j process, so that it is more demanding on the analysts knowledge and j i i ! background. In addition, the process of quantifying at each step reduces the i ! .
;i representation of the system failure to a single numerical quantity. There 1 '
are no cut sets that represent system failure modes. While it is possible to p.
-' determine which component less insight into the systems failure response and a less information is passed onto the next level of analysis, the event trees.
, q T'e h systems models were found to contain many conservative assumptions which
; were made mainly to simplify the analysis. In some cases, however, these
! simplifications eliminated components or subsystems that should have been considered in the analysis. In other cases, the simplifying assumptions m
ip attached undeserved significance to components that were included. Although A
- ) the simplifications produced conservative results, in some cases these results 1
y are unrealistic and misleading. For example, conservative assumptions on the
- ) .
";j need for particular auxiliary components in a system may yield system j '
unavailability results which show the importance of these auxiliary components to be dominant. Realistic assumptions can produce entirely different results, }:} g showing those same components to be insignificant, reducing the system lj, . unavailability by as much as an order of magnitude, and snowing that other 4 components dominate the systen unavailability. f
.) .
3.4 a ( i
._..s.-...,_.._ . . . . . . _ ... .
_ . . . . . _ . . . . . -..:_.__ l i i 1 i ,
'. \ \
t : 1 l Although the SSPSA does not provide measures of component or super-component- l bq block importance, simplified calculations using SSPSA data and logic equations k show how components important to system reliability when realistic assumptions
- A j.j are used can be masked into obscurity by conservative assumptions. One 3 j consequence of these conservative assumptions is an increase in the final risk .
U
.) ; estimates. The point is not that the results are two conservative, but that .a ;
j l the use of conservative assumptions may mask important qualitative and/or
.., e 0
! quantitative inferisation, and that this may subsequently result in incorrect t i decisions rigarding the effects of potential system modifications or upgrades
. on the reliability of that system.
[1
. a,
.. i In our evaluation, we were unable to verify the accuracy of the numerical
' ~
l results in the SSPSA. There are two reasons for this. The data upon which they base their results is proprietary and was not given. - The rev.iew of the im o data is given in section 3.6 herein. The use of OPD2 and STADIC computer j codes in the SSPSA to quantify the logical failure expressions produced i results that were not reproducible by to a direct calculation using the G a component mean failure probabilities presented in the SSPSA. For most cases, a ?!.i the difference between the stated systen mean failure probability and our e L direct calculation were small, however, during our 2 - 5. In addition, since d :
)4 i j
we do not have the DP02 and STADIC codes and access to their data, we cannot
't assess the impact that a correction to a model may have on the overall a i I l results. It was even difficult to compart the corrected model results with
$ i their stated values for individual systems since we could not varify their 13 -
.a *i -
original numbers. d.;
\ .
a v
-i 3.4-5
,-i
,M .. . . _ _ _ _ . _ _ . . .
!i 5 . . . . . . . . . . . . . . . . . . . . . - . . .. . . _. . . . . - - . . . . . , . . . . . . . . .
. - - - _ , _ _ . . . , - . - _ , . - . __ . .. - - - - - _ ,,,- - _ _ _ , ,_,-..__,......., .. --. - _ . .-. _ .- --_ _ - _ - ._..~.-..
?
l* The text and tables presented in the systems analysis sections contained D> numerous errors. Most of these errors can be attributed to typing, document production, errors in addition, etc. Although we cannot determine whether , w .0 , these errors were propagated through the remainder of the analysis, the number. l
;.] ,
of errors contained in these sections leave serious doubts about the validity
- e :
'j 'j of the results. .T.j' .
') ,
l E f i I'h 1 0t 1 :
. al e .
e O. e 4.e
/.
A
$.h ; .i i , "Q ')' '
it h J i\
]
f.:
.G .
t I)
.i
,' 3.4-6 4
).
e I
. ; 3.4.1 El.ECTRIC POWER SYSTEM l.
O ? 4 , 3.4.1.1 SYSTEM DESCRIPTION ?il ,d . S :
.] The electric power system is designed to provide the AC motive power and DC Q !
[ ,l control power necessary for normal operation as well as for the, mitigation of ."i j ] ., abnormal events that could affect the reactor core, the reactor heat revoval M 7 systems, or systems that affect the release of radioactivity to the y Yj environment. The electric power system also provides power for the .,) y instrumentation needed to monitor key plant parameters and to provide input to e : 3 1 the safeguards actuation logic and reactor trip logic.
! Ouring startup the generator step-up transformer (GSU) supplies power from the grid to both unit auxiliary transformers (UATs). After generator
!(7' synchronization, the generator breaker is closed and the flow of power reverses so that the GSU and UATs are then supplied from the generator. The I'b UATs supply the 13.8 kV buses, the Class 1E 4.16 kV buses, and the non-Class q - ,
'rjj ,
1E 4.16 kV buses. b B d
!.f The Class 1E system is divided into two redundant trains. Each train consists hej
.: of a 4.16 kV bus, an emergency diesel generator, 480V load centers, instrument
{ g ! and control power supplies, and two 125V DC batteries. A reserve auxiliary y ' transformer (RAT) in each train provides an alternate source of offsite power lj d redundant to the UATs. 1 R
- d. .
..w J J
'd
, 9 3.4-7 i '
i
?
I f
! 3. 4.1.2 SYSTEM ANALYSIS 1
bQ '
'h The following assumptions were made for the system analysis. ' .i,
- The 4.16 kV switchgear fails after 2 hr without cooling. .
~) ,..
- Ventilation is not required in the battery rooms.
1
- All crossties are open.
h) 'l 9 j
- AC power is modeled only cown to the 4.16 kV buses. The 480V IC i
[j i buses are combined at the 4.16 kV level in a bounding model because y 'l failure of the 480V buses is dominated by failure of the associated 4.16 kV 1 i
,) ! - bus. ,
1 i
- Power is unavailable from the main generator, requiring the generator 1 1 breaker to open to allow backfeeding of the UATs.
i ,
- Failure of service water cooling to the diesel engine jacket water coolers or failure of the fuel oil transfer pung cause diesel generator
. C).
l t
! failure. -
- Failure of the emergency power sequencer is equivalent to system failure
.1 ,7 l at the 4.16 kV bus level. . t:
Q
- Ocerator recovery actions are not included.
IY l
'f 3.4.1.3 RESULTS
,:l i System mission time was defined as 24 he following the initiating event with L j offsite power available, and 6 he following a loss of offsite power.
~T' Unavailabilities for the Class 1E electric power system were calculated for j the following states, given the first condition listed.
d (~
's
- 3.4-8 4
4 f State 1 : Offsite Power Available / Buses E5 and E6 Unavailable O EP(1) = 2.55E-7 This is a hardware coatributioa onir. State 2 : Loss of Offsite Power / Buses E5 and E6 Unavailable 3 EP(2) = 7.70E-3 Hardware is more important than maintenance and d i common cause.
'3 h; -
d.lI State 3 : Loss of One DC Bus / The Other AC Bus Unavailable J i U ! - EP(3) = 5.84E-2 This is a hardwarv contribution only. i) 1 1: ' t State 4 : Buses E5 and E6 Available / Both DC Buses unavailable
- , i j EP(4) = 2.84E-10 This is a hardware contribution only.
i I
^ , State 5 : Buses E5 and E6 Uriavailable / Both DC Buses , Unavailable ,
{ ; . 1 EP(5) = 4.59E-7 This is a hardware contribution only. I
- 3. 4.1. 4 C0petENTS J
4 Equations for system unavailability for the five states were determined by i t inspection from the reliability block diagram (R80) in SSPSA Figure 0.2-11 on p pages D.2-76 and -77. The R80 shows Bus E5 as being powered from offsite power through either UAT-A or RAT-A, or from diesel generator A. Similarly,
.( Bus E6 is shown to be powered from offsite power through either UAT-8 or RAT- .i 3 B, or from diesel generator B. UAT-A is shown to be independent of UAT-8, and b7 RAT-A is shown to be independent of RAT-8.
4 f 4 1 I. .s .
- i. 3.4-9
-. .. . . . _ . . ~ . . _ . . - . . , , . - . . . . . . . . _ _ . - . . . . . _ - _ . . . . _ . - . . _ _
-..n. - . =- ?- ' -.- - <.L.-,-,- --- -.'- , -.n ,- . . . , . - . _ . _ , n-----.- - - - . - - . - -
This representation of independence is not consistant with the description of G V the UATs given in SSPSA Section D.2.1.3.2.1.2 on page 0.2-4 (item a below) nor is it consistent with the description of the RATS given in section
.j 0.2.1.3.2.1.3 on page 0.2-5 (itas b below):
9
- a. "If actuated, the protection relays trip the unit and transfer the
.1 ? '
plant electrical loads to the RATS Actuation of, a relay for one UAT 4 I will isolate or trip both UATs." i i 1:{ i
. i dl
- b. " Actuation of a protective relay for one RAT will trip or isolate both i ~
RATS." Througn a check of the electrical drawings and conversations with the Seabrook technical staff, we conclude that the system does function as described in a
,. and b above. Although 'it is possible for an operator to isolate one UAT and b!
. thereby operate the plant electrical system from the other UA_T and the appropriate RAT, this is an unlikely situation. In almost all circumstances f
$ of a UAT (or RAT) failure, the twin UAT (or RAT) will also be tripped.
Therefore, for the purposes of this analysis, the UATs are not independent cf each other and the RATS are not independent of each other. L
.I l The RBD as constructed includes redundancy (through the modeling of 3 .j independence) which does not actually exist. A revised RBD which correctly 3 models the transformer dependencies is shown in Figure 3.4.1-1. Blocks UA and
. :.j. j1 UB from SSPSA Figure D.2-11 have been combined into block UAT in Figure 3.4.1-p 1. Similarly, SSPSA blocks EES and ME6 are combined into ME; SSPSA blocks j" RA and RB are combined into RAT; and SSPSA blocks RBES and R8E6 are combined (. into RBE. 3.4-10
- -- - ~ . . . . . - - - . - - - ~ ~ ~ -- ~
.- _ ~ _ _ _ _ _ . _ . . - - , _ . _ _ _ _- - - _ _ _ _ ._ . _ _,---__. - - _ - - _ _ .
a I ,.
' This correction to the R80 could potentially impact the results for State 1.
] However, when applying the results for the block hardware failure 2 contributions listed in SSPSA Table D.210 on page 0.2-60 to the complicated
.;.i expression for State 1 given on page 0.2-30, we find that the unavailability
'4
.s
,j, ;
is completely dominated by a single ters: the product BE5
- BE6, so that this 3 ..
correction to the R80 has no effect on the result.
.J, ~!
d w . The only common cause failure in the electric power system that was considered
- quantitatively is the failure of both diesel generators to start and run for 6 hr. This contribution was only calculated for. State 2, even though State 1 also includes both diesel generators in its unavailability expression. Since the terms including the diesels generators in that expression are not a +
- p. significant contributors to the result, as discussed above, the omission of the common cause contribution is not significant. However it should have been u -
., calculated and reported in SSPSA Table 7.2-4 for completeness.
9 h Wg Another area of incompleteness concerns the Class 1E 120V AC Distribution F i j.( . System. This system includes 6 instrument buses each with its own inverter. t The inverters are normally powered from the emergency buses through 480V motor
]
3, control center circuits through 480/120V distribution transformers. Backup i :' S power is provided from the 125V battery buses. The instrument buses provide power to safeguards and protection instrumentation channels and to the balance y!. of plant Class 1E instrumentation. .,] P, Despite the importance of this safety related electrical subsystem, no
'1 (. modeling or quantification was performed for it. Although it is claimed that ; ** i i I 3.4-11 i
i t i ['. . _ . ... . . . , _ . . _ . , , . . . . . . . . . . . . . . ....
1
; the 480V tuses art included in calculations for the 4160V buses, the 120V AC
*i .
- .3
,3
' buses, transfor ars, and inverters art not included in any logic hardware
. .t
.! blocks in the RBO. This system is not represented in any of the failure logic
',j expressions, nor is its unavailability quantified. A curious inconsistency is
) - .! ; the inclusion of the letter designator "J" representing inverter failure in ;) ;
the list in SSPSA Section D.2.3.1.1 on page D.2-32, and.the inclusion of
'i l inverter failure datum in SSPSA Taele 0.2-8 on page 0.2-58 .
4 ,i o ., , 3.4.2 SERVICE WATER SYSTEM f 3 y . [ SYSTEM DESCRIPTION The service water system (SWS) provides cooling water to transfer the heat loads from various sources in the primary and secondry portions of the plant - C, to the ultimate best sink. The SWS consists of a seawater service water systen and a cooling tower system and their associated ventilation systems. q
. Cooling water u p'rovided to, the primary component cooling heat exchangers, u
the diesel jacket water coolers, and the secondary component cooling neat l exchangers and condenser box priming pump heat exchangers. The seawater service water system consists of two trains, each having one pump running and another as backup. As a redundant backup to the seawater system, the t
% . mechanical draft evaporative cooling tower uses the same outlet piping and 4] contains one pump in each of two trains along with three fans, two of which $ are in consson with Unit 1. The ser'vice water pumphouse and the cooling tower .- c each has its own heating and ventilation system.
i
't r , , s.
3.4-12
._,_. ,..... .. .. ,. .... . . . . * * - . ., .~.- . . .
l SYSTEM ANALYSIS RESULTS l
. A y n :
i
',j A total of seven variations of three main cases is analyzed for SWS '4 unavailability. Case 1 considers the seawater SWS unavailability witn offsite j -
power available, with two boundary conditions consisting of an 'S' signal
- s f) 1 (safety injection actuation) present and an "S' signal absent. Case 2 y .
~
considers the seawater SWS with offsite power unavailable, with two boundary 3 ,
.9 *
'.* conditions consisting of all support trains available and one support train L i
! unavailable. Case 3 considers the unavailability of the cooling tower system, f f Li with three boundary conditions consisting of (1) all support systems 8 l
; available; (2) train A unavailable; and (3) train B unavailable. In this
- 1'-
-l case, the unavailantlity of train A does not equal that for train 8 due to an additional fan placed in series in the reliability block diagr.im for the 8
. . train.
~'
~
!I . .
- ' ; The mean system unavailability results as reported in SSPSA Appendix 0 pages O.3-28, 0.3e31, 0.3-51 to -53 are as follows.
t , i Case 1 - Boundary Condition "S" Signal : 2.32E-4 L'. Ij i Conmon cause dominates hardware and maintenance. e , th s1 ! s
! Case 1 - Boundary Condition No "S" Signal : 6.43E-6
)3
- .] -
Hardware dominates maintenance and connon cause.
.1 y
. Case 2 - Soundary Condition 1 : 1.10E-3 Common cause and hardware both contribute significantly.
+
( 3.4-13
, -l _ - -
Case 2 - Boundary Condition 2 : 1.93E-2
-. Hardwart contribution only.
r
?
9' Case 3 - Boundary Condition 1 : 2.46E-3 1 Hardware and common cause are more significant than maintenance.
] ? . .
if w
- Case 3 - 8.C. 2 and 3 (no distinction made) : 4.83E-2
- I g
Hardware apparently dominates maintenance. H
,l Another set of resuls is available in SSPSS Taole 7.3-1 on page 7.3-4 in watch n
all of the hardware unava11 abilities are different from the Appendix 0 results, while maintenance and common cause numbers are the same. No calculations or explanations are provided to account for the differences. The
~
- new totals follow. '
.b.
j Case 1 - Boundary Condition 1 : 3.81 E-4 9 I The hardware contribution was increased by a factor of 4 so that .tYi t f < hardware and cosmon cause contribute equally. 1 ' l. 0 j j Case 1 - Boundary Condition 2 : 1.65E-4
' I The hardware contribution was increased by a factor of 24 and ' ,1, f
l'[j ; continues to dominate. In defense of this version of the J;
- result, our point estimate calculation based on mean values gives a hardware unavailability of 1.56E-4, which compares ^] .
L.; favorably to the SSPSA Table 7.3-1 entry of 1.55E-4. i o Os b
\
3.4-14 9 am *euk emane em eme se m eng e m se e s e espeso e -4 e n, e
.s+. ...,e e,. .
..w eeeeee. A.- e... e n -e* -. . . , . . . .
Case 2 - Boundary Condition 1 : 1.25E-3
'. -' The hardware contribution was increased by 42%.
t .j.- Case 2 - Boundary Condition 2 : 1.93E-2
.J 1 .
The hardware contribution was increased by 11. J
.a* : . Case 3 - No results presented.
ComENTS i These consnents pertain to the analysis in SSPSA Appendix 0.3. I The following assumption from page 0.3-14 states: 4 "The failure to close on demand of each SCC heat exchanger inlet Q; isolation valve,' (V4, V5) would degrade the cooling function of the
' affected SWS train during event response operation. Therefore, these two valves are included in the model." ?.;
t h .
- J
- This seems like a reasonable assumption until we examine its consequences. In Case 1, with all support systems available, offsite power availacle, and an S C]
d sipial, the equation for service water system unavailability is EON D.3.1 on M page 0.3-17, l} 3 ' N SWA8 = T + S1
- S2 + PI A
- PIB + (Y1 + A
- C + E) *
] ..-
(Y2 + 8
- 0 + F) + Z + STR
.l V 1
3.4-15 e .m .. .e me . t e.emmene m me ammemen . e
. . . . . - . .. . . . . . , .. A. ... - . . . . **. . .. -
The evaluation gives a mean of 5.04E-5 on page 0.3-28. Evaluating the equation simply with mean values produces a point estimate of 2.66E-5. Of w 5 this result, 70% is attributed to the product E*F (1.85E-5); while 95 is attributed to the tem Yl*F + Y2*E (2.32E-6); 81 (2.22E-6) is attributed to M Li the term Z; 6% is attributed to the product PIA *P18; 3% is attributed to the
't product S1*S2; and 11 is attributed to the tens T (2.50E-7). ]
d n p Let's examine Wiat these. tenas represent. On page 0.3-27. E = F, and the 1 lj unavailability is dominated by failure of the motor operated SCC isolation
.C J valves V4 and V5 to close on the S signal. Again it's restated that failure f, .
to isolate by these valves is assumed to cause failure of the associated SWS train. From page 0.3-22. Y1 = Y2, and is dominated by relief dampers OP-60A . and Op-608 in the SW switchgear rooms. On page 0.3-28, Z is the intake tunnel MOV-44. On page 0.3-21, PI A = PIB, which includes fans and dampers in the pump area of the pumphouse. From pages D.3-25 and 0.3-26, A = B, and is
*t j dominated by the normally operating service water pumps. Also C = 0, which
,,4 t ' combines the backup service water pumps, check valves, and motor operated u U valves in the backup pump lines. Finally, T is the tornado check damper, and m J. 51 and 52 are supply fans. a : ; c c 5 - jG , The variable STR represents strainer S-10 and S-11, which can fail by m :
*# blockage. However, the explanation on page 0.3-28 assumes that strainer
& failure probability is negligible. This is curious since in the PRA for Jy 4 M111 stone-3, the most important contributor to service water system 1.t unavailability for cases with AC power available to both trains was strainer g'. blockage. L'! ,. G l , 3.4-16 1 .- .. .__........,.....,4 -. ;. .. , . . ~ . . . . . . . - _ . , . . ,,.. ,
- _ . _ _ _ . _ - . , _ . _ . . _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ ~ ._. _ _ _
u 4 We now see that approximately 82% of the system unavailability is attributed 13 - to failures of one or both SCC isolation valves, while another 10% is 4
~:
- j. contributed by the pumpnouse. ventilation system. These unrealistic results
.j .g are due to the conservative assumptions made for these ccmponents. It was 4
j- assumed that failure of the SCC isolation valves would fail the entire
':j <
system. However these valves only function to prevent service water flow to {} ' 34 the SCC system after an.S signal. Should the valves fail, a small fraction of 4 the total service water ficw normally available to the PCC heat.exchangers and m.1 diesel Jacket water coolers would be diverted to the SCC system. Since 3 j offsite power is available, there is no load on the diesels in this case, and 4 the heat removal load from the idling diesels can be easily handled. The PCC
'l '] heat exchangers would receive less than nonnal flow, and after the regulating i
valves open fully any continued flow deficit would reduce total heat removal
. from the heat exchangers and increase the outlet water temperatures. Then the
. L.;
components and heat exchangers cooled by the PCC would have small temperature rises in their cooling water. Because of the conservative designs of these
~
components, it is considered very unlikely that any failures will occur,as a f?4 result of slight temperature increases. id ; jt f) ; Therefore a more realistic assumption for this analysis is that failure of the
$) SCC isolation valves will not fail the service water system in this case. *1 ,1 Then E and F are set to zero in the equation for system unavailability, and '-l 7 the result, is a reduction oy about a factor of 5 to 5.03E-6.
Similary, we can improve on the assumptions made for ventilation
]
requirements. On page D.3-14 it is stated that the ventilation fans are h, probably not required in winter. Yet the assumption made is that ventilation l 3.4-17 e -m.>--ev.D ==- se . 4 --e c y . se p .ml$ir ' *Shir** G".-_ '49'.G M '$e #9 F* Op -* .m* N el'*'Me %* @* D *pe e = we
. , . -.~ . . . . .
.. ~ . a.. . a, . .
- a.- .
I t
. is always needed. Considering the climate of the New Hampshire coast, we feel J an assumption that ventilation is only needed for half the year is still conservative, and a realistic assumption is that loss of ventilation will not cause loss of service water. Evaluating the equation for these two cases
- j. gives a system unavailability of 3.43E-6 for the 50% time ventilation needed,
,9 and 2.22E-6 for no ventilation needed. This represents reductions in the M ?
l original unavailability calculation by factors of about 8 and 12 respectively. 9
,.] i
; We have shown how the use of overly conservative assumptions can significantly
+
d increase the estimate of SWS unavailability and attach dominant importance to _;.8
] , .
components such as SCC isolation valves and pumphouse ventilation fans. Such j results could result in incorrect or inappropriate decisions on potential systae modifications or upgrades. This case is just one example of how the t g- conservative philosophy used throughout the SSPSA systems analyses makes the
. v
; quantitative results less meaningful and makes it more difficult to gain s
.j: ; useful insights into system reliability.
'o !
; t -
- J i i
I.1 l
'j I
wa M 4 !. a l M i l4 U i 4 l
.l 3.4-18 I ._ . . ~ . . -- ._. . - . . . . . - .
. . . . . . . w . .w - ;. ....r. - .. .
- a i
3.4.3 PRIMARY COMPONENT COOLING WATER SYSTEM
, ~~ I
\.
. i
'h i ,
3.4.3.1 SYSTEM DESCRIPTION i o j The primary component cooling water system (PCC) supplies cooling water to
;.1 i !
i prevent overheating of components which are needed for plant operation or to d i satisfy one or more basic safety functions. These components include : 8
], j containment building spray pumps and heat exchangers, residual heat removal
~
t > y j (RHR) pumps and heat exchangers, safety injection pumps, centrifugal charging 1 ; pumps, containment enclosure coolers, and reactor coolant pump (RCP) hemal ti
'd barrier cooling heat exchangers. The PPC water system is divided into three subsystems for this analysis : a PCC system, the RCP thermal barrier cooling I' system, and the primary auxiliary building air handling (PAH) system. ~
G The PCC system consists of two ' redundant cooling loops which remove heat from various primary components during power, shutdown, and accident conditions. M dd i Each loop contains two centrifugal pumps, one heat exchanger, and one head i n ; 8, i tank. One pump in each loop normally operates while the other acts as a [1: backup. Flow to nonessential services inside containment is automatically isolated on a P signal by the containment isolation valves. Flow to Ah] nonessential services outside of containment is automatically isolated on a T r
]
.N,,
; , signal by the waste processing building isolation valves.
.i , i The RCP thermal barrier cooling systen includes two heat exchangers in series.
./
two recirculation pumps in parallel, an expansion tank, and motor-operated i valves. The PAH ventilation system provides ventilation to the PCC area when normal PAH ventilation is unavailable. This is assumed to occur only during
' 1 C
t. I 3.4-19
.i .
,,~ . _ . .. .. . .
.. _ .. .. _ a ,_ ...
_,..y ... _ _ . ,
I loss of offsite power conditions. This system includes two redundant trains s
/ of supply and exhaust dampers and fans. .y .; 3.4.3.2 SYSTEM ANALYSIS
- 6. a d ;
The following assumptions were made in the SSPSA analysis. 3 3 ',
- Failure to close of the PCC isolation valves for the containment structure y ; and the waste processing building results in failure of the associated PCC train.
I '
- No credit is taken for operator actions to recover failed equipment over the 24-hr mission time.
1
- Ventilation is required for PCC pump operation. The normal PAH ventilation system is always available when offsite power is available. Therefore failure.
. ,l of the backup PAH ventilation system to operate for 24 hr causes failure of .
the PCC system for loss of offsite power cases only. i i
'i i
; The PCC, RCP thermal barrier cooling system, and PAH system unavalabilities
'. ; ! were quantified for six cases depencing on the availability of service water
'4
.] fi and offsite power and the need for isolation of the PCC cooling loads inside a '8 containment.
il I Boundary Condition 1 - Case A : Offsite power available, service water
] '
- ( available, no P signal required.
PCC = 1.54E-6 Hardware dominates maintenance and coninon cause. RCP = 1.12E-4 Hardware contribution only. PAH = 0 Assumption. l C i
;! 3.a-20
?_. . . . _ _ . . . . _..;, ... .. . . . . . . _ . . _ . _ . .
'n.
- l -
2 . i:
- Soundary Condition 1 - Case 3 : Loss of offsite power, service l;
. i- O water availaula, no P signal required. 't :
PCC = 1.25E-5 Ccmon cause dominates hardware and maintenance.
.b :, RCP = 2.33E-4. Harcware contributes 550, c: mon cause 45% .
PAH = 7.69E-6 Hardware contributes 710, maintenance 29% .
.i j
{
- Boundary Condition 1 - Case C : Offsite power available, service water i
; j available, P signal required.
+
, 1 PCC = 1.53E-6 Hardware dominates maintenance and conunon cause. Results are
- similar to condition 1 case A.
,J .
RCP and PAH results are not reported, but should be identical to condition 1 4 case A.
.--
- Boundary Condition 2 - Case A : Offsite power available, only one train of L.
service water available, no P signal required. _ j* I PCC = 9.01E-4 Hardware contributes 66%, maintenance 34% .
.5 ; RCP = 1.16E-4 Hardware contribution. only. .il j PAH = 0 Assumption.
- Boundary Condition 2 - Case 8 : 1.oss of offsite power, only one train of M
j j electric power available, one train of service water available, no P signal ij required.
;] [ .] PCC = 1.05E-3 (Table 7.41 page 7.4-3) or PCC = 9.46E-4 (Table D.4-11 page +3 D.4-46) Hardware contributes 58%, maintenance 32%, consnon cause 10% . .:;l fj Apparently 'the second result referenced above is an error. The main
.a
'l q difference between this case and case 2A is that the backup PAH ventilation
- q. system is required to function here.
Ji y C i 3.4-21 3 l l ... ..-.-..:--.,,,..~.. - - . - . - - , 1:
3.. . , .. .-. .. i i RCP = 3.86E-3 (Table D.4-11) or RCP = 3.85E-3 (Table 7.4-1) This is a
! hardware contribution only.
2 :
- I ! PAH = 2.13E-3 Hardware contributes 57%, maintenance 43% .
at i
- ! i
.t i li -l
- Boundary Condition 2 - Case C : Offsite power available, only one train of a i e service water available, P signal required.
- !j Hardware contributes 66%, maintenance 34% .
% PCC = 8.94E-4 a
t
- .]
RCP = 3.85E-3 This is identical to case 25. i
'I PAH = 0 Assumption. ~!
- s
- I ! .
] 3.4.3.3 COMMENTS i .
1 4 I The. logic equations for the PCC system without ventilation for the six cases i .) are as follows. _ l}
- 1 i
- PCC-1A = (AB + C)(A8 + C)
!.l l4 j
- PCC-18 = (B8 + C')(88 + C')
[.1 1
- PCC-1C = (A8 + C')(AB + C')
?:]
- PCC-2A = A8 + C
;-.m i
j '4
- PCC-28 = (88 + C')
..) ..
-l I a i
- PCC-2C = A8 + C' 14 ,r
-1 '
f-i
,k. 4 Al Problems exist in the quantification of the blocks for C and C', which appear 2 in every case. According to the system description on page 0.4-6, the 15
- . containment isolation valves (CC-V168, CC-V57, CC-V121. CC-V122, for loop A)
C ciose auto aticaiis oa a e sisa=i. .other vaives are ciosed auto aticaiis oa a i i. i 3.4-22
...__.._,._,p._. .
.~... ,.
. .c . - . .
t i i l i T signal, but this situation is not included in the boundary conditions J ! - considered. Again in section D.4.2.1.1 on page D.410 is stated : "The PCC
), .
;. isolation valves for the containment structure and the waste processing
]
1
; building are included in the analysis since the failure of these valves to j ; close on demand given an initiating event will result in failure of the -
i ji l associated PCC train." The initiating event demanding, closure of the wasta
-1
\
h< ; processing building valves (T signal) is not included in the analysis. 1 .g 1 : Finally, the discussion in section D.4.3.1.1.1 on page D.4-16 treats the waste j i q processing isolation valves as if they are closed on a P signal (the same as
}
i ; . the containment isolation valves). b i 4 Blocks C and C' include all of these valves as well as some others. Several errors are apparent in the quantification of these blocks. In block C, the containment isolation valves are to remairi open (no P signal) and failure i occurs if any of the four valves transfers closed during operation (4
- 6.41E-
'l 1 6 = 2.56E-5). The weste processing building isolation valves, the spent fuel t . i i l' : pool supply valve (CC-V32), and the letdown heat exchanger re1! urn valve (CC-L !
- l V341) are also open and failure occurs if any of them transfer closed during
, [] . operation (4
- 6.41E-6). This is contrary to the failure mode listed in Tanle D.4-7 on pages D.4-35 to -40. Using these values, the mean. value of block C is 1.09E-4 .
, i
.] ;
>A t if ? In block C' a P signal is present, and containment isolation fails if 1 valve K' . out of 2 in either of 2 sets fails to close. This is quantified correctly.
'i.
'* However the isolation valves for the nonessential services outside of
- containment are not affected, and their failure mode is the same as in block
, .} l C. Therefore the mean quantification of block C' is 7.97E-5. { 3.4-23 i l - - - .. t.. _ . . . . . _ . . . . ... . ~ . . . _ .. . . . . . __
. . . . . ~.. . .
i l Requantifying the six cases using mean values gives the following point (v', estimate results for hardware unavailability. I ,
.,;
- PCC-1A = 1.26E-8
-l .
- PCC-1B = 4.06E-6
!
- PCC-1C = 6.82E 9 IU l
- PCC-2A = 1.12E-4 1
- i. !.
- PCC-2S = 9.35E-5 i
- PCC-2C = 8.26E-5 l
'!i ,
Due to the numerical treat: ment of probability distributions in the SSPSA, i thes'e results are directly comparable to values in SSPSA Table 7.4-1 only for I cases 2A, 2B, and 2C. We note that the requantified results are lower by
.n factors of about 5 and 7 for cases 2A and 2C respectively, and lower by 85%
- \ ,1 . .
j , for case 2B. We expect significant changes in the other cases as well. l]A , The assuimption that ventilation (PAH) is required for PCC system success is overly conservative. Using Table 7.4-1 values, we note that the PAH hardware contributes 79% of the unavailanility for the PCC hardware in case 18, and PAH ,4s ,n
- I contributes 38% of total unavailability for PCC. In case 29, the PAH FI Tj i contribution is 67% for hardware and 67% of the PCC total. Since the PCC MI i unavailabilities without PAH are expected to decrease in lignt of the l
; ! preceeding discussion, the percentage contribution of PAH will be even
,J ! l' larger. A thermal analysis is needed to determine the effects (if any) of 1 t G' .1 l loss of PAH on the PCC so that realistic assumptions can be used. d t la i, (a' .
- 3.4-24
't 4. i
- m y. . , . . . . - . - - - -.- ++- - - - . . ~ . - . - - - ~ . . .
1 l
-}
i i 3.4.4 Instrument Air System l n
- i n 3.4.4.1 System Descriotion
?! j i '
2
- y. '
The instrument air system provides air for pneumatic instruments and . 5.i
., controls. Three air compressors are piped in parallel, discharging to a ,
v i common header that feeds two air receivers. The two air receivers are
.i '
connected by a l' line that contains instrumentation for compressor control g , and receiver depressurization isolation. Each receiver outlet branches into i i two discharge paths. One line is connected to a connon header that supplies 1 the service air system. The service air system does not perform any safety i related functions and is not considered in the SSPSA analysis. The other i l discharge line from each receiver is connected to its own air drying system . t . that supplies one of two redundant instrument air loops (headers). The pipirig
!! from each dryer contains cross-over piping to the other loop so that each receiver can supply both air loops.
; .]
Two of the air compressors are connected to amergency buses. Cooling of the
,g ',.k l compressors is provided by the secondary component cooling (SCC) system, which 11
]j ; 1s cooled by the service water system (SWS). The SCC becomes isolated from the SWS upon either loss of power or a safety injection signal. The SCC is
-d l .,
'!{ ! not analyzed in the SSPSA.
.l
,q hk i
,y 3
w' ; 3.4.4.2 System Model a
*4 I
.} The instrument air system is not a safety system and is not included as a top I
h event in the event trees. Loss of instrument air will cause air operated l '- j 3.4-25
? - . . ,. . . . . . .
! ~ - - - - - - - ~ ~ ~ - _-,n~ . . - . - - -
- - - - , - .i-.-. ':. _ . . . ; l L' - . . _ . - , _ , . ,__..__,.,._-,,_._.,_,..'L..,,_-._--,.__.
.s . .. . ... . .
. I 1 valves to fail to a predetermined position. There are three sets of safety
., significant valves that fail in the closed position on loss of instrument air; main feedwater valves, steam atmospheric relief valves (ARV); and condenser fff steam dump valves (SDV). ,
.1
.; +
- t The ARVs are not considered to require a continuous supply of air since they kl am equiped with air accumulators. the ARVs are discussed in the section on il 1 main steam (3.4.10).
di k Closure of the main feedwater valves will result in a turbine trip and will
'3.
not allow the main feedwater system to supply coolant to the steam generators
] !
t l 1 ; for decay heat removal. Loss of instrument air as a loss of feedwater f initiator is considered to be included in the data for loss of feedwater
- - i
! transients. The main feedwater system is not considered for accidents
; O involving a loss of power or a safety injection signal.
1
-t i The instrument air system is included as part of the secondary cooling
- t 8
. function in the main steam analysis through the dependence of the SDVs. A .1 S discussion of the SDVs is given in the section on main steam (3.4.10).
v 1 . H !
] The instrument air system is analyzed only under the specific boundary condition for situations were secondary cooling is needed. The reliability t
- =
-! block diagram of the instrument air system was used to detemine its
- w. N.
+ - unavailiability to supply air pressure to both redundant air loops. W .; i4, l.. < The model assumes one compressor is operating, one in standby, and one in j y maintenance. Failures in the service air system are assumed to not one in i 3.4-26 r , e game . . weme em e.e. + + . . O m. m..-e
*=- .c . - . - .
- 3. ., y ,, . . , .. . .- ,-.. . . - ~ . . . , . . . .
. - - - _ _ . _ _ , _ _ _ . . _ . _ _ . . _ _ s.. _ . . , ___ .__ . _ _ . _
.m - . . . . . . ~ . - . . . . . . . . .
4 T
.. ~ - - . . . . _ _ . .
i l 6 .q. i
! I 4 l 1
,j g t maintenance. Failures in the service air system are assumed to not affect the i
' p .- instrument air system. Catastrophic failure of either air receiver is assumed to fail the system. Operator recovery actions and pipe breaks are not
)., , considered in the analysis. Unless the initiating event is failure of the } service water system, the SCC system continues to provide cooling to the ,U. compressors. y t 1
.j l The system unabailability was calculated to be 3.07 E-4 for a mission time of <3 : ' *] ] 24 hours. Over 96% of this availability is contributed by consnon cause t
j I, failure of the two available compressors. This failure mode is both
'i i
'l compressors fail to run (the standby compressors fails to run after
; l' successfully starting). Hardware failures associated with the compressors l contribute about 3.8% to the systen unavailability.
1
- !O l
The system is a nonnally running system, therefore, test and maintenance was
. s lI l not explicitly included in the analysis. One compressor, however, was
.; l considered unavailable due to maintenance. This assumption is conservative. n ; 4
.'t?
1 3.4.4.3 consnents M 44 ie j The analysis of the instrument air system is used as a contributor to the
))J i l
failure of the SDVs for secondary heat removal. The event SC (secondary cooling), which includes the SDVs, is used'as part of the event tree top event f.! EF, emergency feedwater and steam relief. The event EF is included in many of
'd
;4 the sequences that are significant contributors to both core melt frequency
*i
- and health risk. The degree to which event SC contributes to event EF is discussed in the section on emergency feedwater (3.4.8).
Q , i 3.4-27 b esp. . s>gs - er =
- e ,ye .=g
*N*N.%- e **{
-N** * * * * * . * " * * * * . '
' W 7 M "*.-***
- s. . .
~
. - ~ . . , . , - . , . , . . - - - - - - - -
r
. , , .a..,. ..-* ... .
I The analysis only considers failure of the air supply loops. There is no
' f'i
- consideration for isolation valves and filters between the air supply and specific air-operated valve. For valves which are normally closed and fail closed, isolation valve failure, clogged filters and human error following
' test and maintenance should be considered.
.. i
'i !
,! The dependence of the instrument air system on the SCC system has not been i
- adequately considered. The SCC system will become isolated from its cooling i !
fj source given a safety injection signal and discontinue operation on loss of off-site power. These conditions would in turn cause the air compressors to i stop due to high temperature. The SCC systen is dependent on the service water system and the engineered safety features actuation system (ESFAS).
; These dependencies have an effect on the function of the secondary cooling f, system for sequences requiring decay heat removal for periods longer than 2 ~, hours. This dependence is discussed in the section on event trees (3.2).
1 , ; ,. 7 --- ~ : y- s e- v -- . - - - ~ - - ~ ~
- a- ,- .. . . . . . . . . . . ~
i
.- 3.4.5 REACTOR TRIP, SOLID STATE PROTECTION SYSTEM. AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM i
j 3.4.5.1 SYSTEM DISCRIPTION 1 h 9 The reactor trip system (RTS), solid state protection system (SSPS) and
]
~
engineered safety features actuation system (ESFAS) provide for the detection
; ; of off-normal occurrances and the actuation of protective actions should an
- . accident situation develop. The SSPS ' receives signals from various plant sensors and, dependent on those signals, respo'nds by sending signals to the RTS and/or ESFAS. The RTS trips the reactor.. The ESFAS multiplies the signals 1
it receives to actuate the various systems designed and needed for accident g v - mitigation. The RTS consists of two trains of reactor trip breakers, a manual actuation circuit and 57 neutron absording control rod clusters assemblies. Each RTS train contains two breakers' (primary and bypass) that connect power cf d from an M-G sets to the control rod drive mechanisms (CRDM) that hold the q O control assemblies in place. All four breakers are identical. Each breaker contains a DC undervoltage coil that overcomes spring pressure to keep the
.g plunger from opening the breaker. A shunt trip coil is provided for manual
; actuation. The bypass breakers are provided to allow breaker testing with the 1 reactor at power. Upon a SSPS or manual actuation signal the breakers trip and remove power from the CRDM coils, allowing the control rod cluster assemblies to fall into the core. The breakers will also trip on loss of electic power or loss of signal from the SSPS.
/
3.4-29
#*[ h*%' 'f
- g - 0 ' '
-W '"
The SSPS censists of detactors, analog protection racks, logic protection
. /~i
'- racks and interconnecting cables. . The detectors continuously monitor plant t
conditions and output to a:::alifiers in the analog protection racks. The amplifiers feed bistables ::iat trip when a preset condition is exceeded. Each bistable actuates 2 relays. Each relay feeds an independent and redundant logic train, Train A or B, located in the logic protection racks. The logic trains contain solid state matrix elements that output to the RTS and/or ESFAS 1 when a prescribed number of channels indicate an out of tolerance condition. The input detectors, amplifiers and bistables are powered from uninteruptable power supplies (UPS) and fail safe on loss of power. The input relays are energized by the bistable and actuate on loss of power (except the containment spray actuation relays that energizes to actuate). The matrix elements are powered from two 15v DC power sources. The two power supplies are auctioneered l so that the highest 15v supply actually supplies the load. The two DC power i C, 1 supplies are powered from instrument buses IA and 1C for Train A, and 18 and ,c . i, ID for Train 8. l
; The SSPS receives signals from the followin'g systems:
{ 1) Nuclear Instrumentation
- 2) Primary Coolant
- 3) Pressurizer
- 4) Steam Generator
- 5) Containment i
j- 6) Main Steam, i l- ! The detectors, analog racks and logic rack have the capability of being tested t
'( during power operation. The ESFAS contains master relays, slave relays and 3.4-30 l
i [ --.v.. ,--e,..
..m9 .mp %s ..-me .- .. ...r.. ,--
. . _ , - . - - ~ _ _ - . . _ _ - . ,. _ ..
~ , ..., . . . . , . , . . . . . . . . . . . . . . . . . j 1
l l l interconnecting cables. The master relays receive the signals from the SSPS '
; C.s
.' logic trains and distribute them to the appropriate slave relays. The slave relays provide contact multiplication and supply the appropriate signals to proper components needed for transient response. The ESFAS actuates components
, . in the following systems:
i
-j i
j 1) Safety Injection f 2) Residual Heat Removal f! 3) Chemical and Volume Control
- 4) Emergency Feedwater
'. ; 5) Containment Building Spray
- 6) Main Steam
- 7) Main Feedwater
! 3) Turbine Generator
(~.), j 9) Enclosure Air Handling 1
- 10) Service idater li *
, 11) Primary Component Cooling J.?:f
- 12) Emergency Diesel Generators l$
l'.
' 13) Containraent Ventilation f ! 14)- Containment Isolation
~
j IS) Control Ventilation
, g
)
r 1-
,'f 'j .
Twod l8v -DC power supply in the logic racks provide the trip and actuation signals to each train of the ESFAS master relays. The slave relays route 120v
, instrument power to the ESF loads. The ESFAS Train A is powered from instrument bus IA and Train B fece bus 18. The ESFAS relays will fail to (f transmit the actuation signal on loss of power. This system has the 3.4-31
. . ,. ... - .~ . ,,. n . -
. . . - - - - . ~ . - - - - - - - - - - . - . - - - - - -
---w---s ,-w---,- _y,- ---.7 - _ ,-.---,e,- ,-- . - - , - - - , . - . - ,
. .c .. . . . _ . . _ . . . a.- .. . . . . _ _ . . .
f capability of being tested during power operation. 1
-) , The SSPSA does not provide an adequate discription of the SSPS and ESFAS .. ) .. systems. Imparticular, there is no detailed discussion of the power supplies f : to the various components. In addition, there are some errors in the j descriptions given.
h I I a There is no discussion of the power supplies to the relays that provide the
? . .s ! input signals to the matrix elements' of the SSPS. A review of the system i
M'nj j description (Reactor Protection System, H0-RPS, Rev.0, 08/82) indicates that
; these relays are continueously powered with 120v AC from the bistables in the -
detection channels and de-energize to provide the trip signal to the matrix
, elements. An exception to this arrangement is the containment spray actuation 7 , input relays that energize to actuate. This arrangement is typical of other Westinghouse reactor protection system (RPS) detection channels. Section ~
f . l: , ,,' O.6.1.3.2.2 Solid State Logic Protection System of the SSPSA is somewhat l ambiguous on the power supply arrangement of the SSPS. This section states H p ' that the output relays are disabled on loss of power. However, since the PJ ( 1 output relays from the matrix elements are the ESFAS master relays, this j, . - statement indicates that the " output" relays are from the detection channels.
. .o jj ( The relays in the detection channels provide a trip on loss of power.
1 !
] The SSPSA does not provide an adequate discription of the power supplies to
~
?
-? the SSPS natrix elements. The RBD (Figures 7.6-3 and 0.6-5) shows two DC power j, , supplies, each being supplied from two vital instrument buses, Train A from LW 4
.] PP-1A and PP-ID, and Train B from PP-10 and PP-1A. A review of the data o
>j , used to quantify this supercomponent block indicates that these power supplies h (, are 24v DC. The system description, however, indicates that each train of the 1 . 3.4-32 s h.m.-. ..
........y..~,.,_ . _ , . , _ _ . . ~ . . - - -- - r - , - . --- m
_ _ _ _ . _ _ - _-- : . _.______r_. . _ . -
s _ . .
. , -s,...- . . .
SSPS is supplied with power from two 15v DC and two 48v DC supplies. One 15v and 48v supply is powered from vital instrument bus PP-1A and the other from bus PP-1C for SSPS Train A and for SSPS Train B the DC power is supplied frcm t vital instrument buses PP-1B and PP-10. The systen description is not
.,i . .
completely definitive on which pair of DC supplies actually powers the matrix
$ elements other than stating "each produces 15 vde for the systae electronics I
h
- and 48 vdc for the trip and actuation output signal". This statement implies '.j that the matrix elements are powered from the 15 vdc. supplies. Since power to 1
i i each train's matrix elements is auctioneered from the two power supplies, a A l malfunction of a single 15/48 supply will not de-energize that logic train.
}
I .
! Also indicated on the SSPS RSD is that the 120v AC vital instrume.nt panels are powered from a 120v AC and 120v DC power source. This arrangement is not j- accurate. The vital instrument' buses are powered from uninterruptable power
(_. , supplies that derive their power from a 480v AC motor control center (MCC) and , t a 120v DC bus. The batteries chargers for the associated DC bus are also ,a ! powered from the same 480v MCC. le f
- q. 3 The SSPSA discussion of the ESFAS power supplies is not adaquate. From the f- 3 h dicussion above, it would seen that the ESFAS master relays are powered from n the 48v OC power supplies contained in the logic racks. This may be wny the 1
s1 ,'I ESFAS RBD (Figure 7.6-4) indicates primary and backup power supplies for each M % train. The system description does not indicate weather the master relays are k AC or DC. The slave relays in each train, however, are AC powered from a G. i single instrument bus, Train A from bus PP-1A and Train B from bus PP-18. Both A the master and. slave relays fail to transmit a signal on loss of power. (g I
- (
.]
i f u 3.4-33 p
~. .
. . . . . . . .. ._._,s_,-,.. .. .. - ,
s _. . . _
.h 3.4.5.2'_ SYSTEM MODEL lg /~
t t {; The RTS and each train of the SSPS and ESFAS are considered as top events in g the auxiliary system event tree. Three reliability block diagrams (R80s) were used to andel these systems. Two additional RB0s were used to' model super component blocks within the main RB0s. The main R8Ds were used to derive [-l .i several failure expressions dependent on the initiating event for mich f5ese s lj systems were questioned. d , a The RTS is required to perform identically for all initiating events. Failure m of the RTS is defined as failure of the reactor trip breakers to interupt N; power to the CRDMs or failure of at least two or more control md assemolies to fall into the core. Manual activation of a reactor trip was not considered in this portion of the analys1.s. i:4, g ;.
.~j -
'l ' The RTS was analyzed for the following boundary condition: I .
- 1) RT(1) - Actuation signals from both SSPS trains are present, e
i 2) RT(2) - An actuation signal from a single SSPS train is present. 11 jj 3) RT(3) - No actuation signal is required (loss of offsite power). ?. ' ocj li 1.4 The unavailability of the RTS due to testing was included in the analysis. L:1 bj This analysis considered a 30 minute test on one train being performed once a p1 71 month. The unavailability of the RTS curing maintenance or for human errors 1 performed during testing and maintenance was not analyzed. Consnon cause
' failure of the reactor trip breakers was evaluated using a beta factor of O.110.
3.4-34
. . , . . . . . . . . . - - - 9.,.'..,~.__
.--.m-.- _ . . . - , . ~ . = - - - . -
I
_m ..- _ . ._ . . . - . . . . _ -
! 13 i - The unavailabilities presented in the SSPSA for the RTS are presented here in n
Table 3.4.5-1. Also given in this table are the point estimates we calculated j using their data (from SSPSA Table D.6-5) and failure expressions for o
;j comparison. The requirements of theSSPS are dependent on the specific top i , event for which the systme must respond. The main SSPS reliability block diagram was used to develop failure expressions for the various top events 3 ,] under the following boundary conditions:
[! 1
'j SSPS(1). All support systems available (vital instrument power).
1 SSPS(2). Loss of a single support system train (AC power train). l Two failure expression were developed for 5 sets of top events. The actions of the SSPS required for the top events along with the signals _ needed to j , generate a SSPS response are given below:
..) .
A - Ids EVENT SIGNALS REQUIREMENTS 1, 1 !;L Large/Meditan LOCA/ 2/4 low pressurizer pressure Generate S and P 34 Steam 'Line Break 2/3 Hi-1 containment pressure signals. For steam lil
! 2/3 Hi-2 containment pressure .?
Inside Containment 2/4 Hi-3 containment pressure line break, a steam { m 2/3 Hi-2 containment pressure line isolation ' c.f J 2/3 high steam line pressure signal. y.. rate 1 ...
.F j
j 3.4-35 _.-.....,.-.. . - 4. - - - -- . - - , - - . - - . .-. --
~
1
,' i 1
e j O Smaii t0cx 2/4 iow pressurizer ,ressure Generate an S signai. M Ji 2/3 Hi-1 containment pressure j
- n
.k 6 SGTR 2/4 low pressurizer pressure . Generate an S signal.
1[33 h.i si Steam Line Break 2/3 low steam line pressure Generate an S signal d
- e ,
Outside Containment 2/3 high steam line pressure and a steam line
- h. rate isolation signal.
i 2/4 low pressurizer pressure
}
e j . O Transient 2/4 low-low steam generator Generate a emergency y
; l' level feedwater actuation n
2 signal. Ed' .t I v i Failure of the SSPS is defined as failure to generate all of the required 'h ! signals, as given above, for the specific initiating event. d i
'a.
!;y ila , The unavailability of the SSPS due to test and inspection, maintenance, and lf. human errors during testing was included in the analysis. Detector channel ld 3 testing was not considered to contribute to the system unavailability because ej ,4 they trip during testing. The analysis of the solid state matrix elements i.I L,lj f) considered then being tested for an average of 27 minutes a month. The ! j: . I 3.4-36 t d. l . . . . .. ;_-.._..-_ .
.. . -. . y n- -, m- ~ - - e m~~: ~ . - - - - - - - - .
< . 7 . ;--.
. - w .
+ - - - - , , _
y i ! i maintenance interval of a logic channel was stated to be 39 years and the mean p'.
'I duration of maintenance was 3.55 hours. Human errors perfortned during 3 "
; maintenance were not considered to contribute to the unavailability.
1 The common cause contribution to the SSPS logic channels unavailability was ,.i
.d considered insignificant in comparison to the connon cause instrument miscalibration unavailability determined during the testing analysis and therefore was not analyzed in the SSPSA.
i.I 3 .
.] The RBD model of the parameter channel (PCla, etc.) supercomponent blocks
,,4 .L (Figure D.6-7) does not accurately represent the system failure. This model, as configured., incorrectly indicates that each SSPS train receives signals z frem a redundant pair of relays that are tripped by a single detector channel. Each detector channel actually feeds both trains of the matrix
,p elements through an associated input relay, not a pair of relays. Therefore, m .
the quantification of the parameter channel RBD underestimates the
,I '
contribution to system failure due to the relays. This RBD should only
- consider the sensor, amplifier and bistable associated with each detector channel. The relays should be considered separately, as indicated on the main f
1 i l SSPS RBD. In addition, relationship of the inverter blocks to the detector (
- 1 j channels shown on the RSD is incorrect. The detector channels will trip on i
y;, loss of power. There should be 2 redundant inverter blocks that power each lM i train of the SSPS logic channels.
?( !
s: i 3 .. 4 During our review of the SSPS quantification of the parameter channel failure p', equations, e observed that data listed in the SSPSA Tacle D.6-5 for the 5 (j
; I l'
3.4-37 m .
...,,p3 py ,. e.,w .* = 1 - - - . . . - - . . - - .
, . r %. ,
.,wr --,-
. . :os. ~., .. .. .
t i' i i I I signal modifier was used for the AMP component block. While there is no
,m
[ J problem with the data used, there is no mention in the text that this ii - substitution was made.
- \
^t .
- 6j
; We have corrected the above mentioned discrepancies in the model and M
- S I reouantified the system hardware failures using point estimate valves and hand calculations. This reanalysis includes the independance of the input relays Y , and the redundacy of the logic channel DC power supplies, and their sources,
,,1
'T l the inverters. The revised system unavailabilities are presented in Table
;. t y -
3.4.5-1 along with the SSPSA reported value's and point estimate calculated
.m
. using their models and equations.
The analysis of the ESFAS system included consideration of failure of the 14 p Master relays and the 36 $ lave relays in each train. The failure criteria for l") J lO ; this rystem is failure to process any input signal fros' the SSPS and actuate { the required equipment for accident mitigation. The' ESFAS was analyzed for two ' ,j boundary conditions: F . UM , l,; j ESFAS(l) Actuation signals from both SSPS trains are present with all i.f, support systen available. l 1.1 l ,4fi 'lg ESFAS(2) Loss of a single SSPS actuation signal.
- d .i D
A : The ESFAS analysis was perforised for the 4 sets of top events given below l}7 { along with their actuation functions: > >j
,, a a
.0
[." , 3.4-38
] {
4 _ . . . . . . -- . . . . . . . . . . . - . . .
- . - . r . - y e. , + .. -e..--=. tar e.7 , ffs e
-- - -v" ." - * ~ ~~' . * * " " " " ~ * *
-l
~
EVENT FUNCTIONS (7 s 9 . j Large/ Medium LOCA/ Steam Main Feedwater Isolation (5 signal) Line Break I.nside Contair. ment E:::ergancy Feedwater (5 signal) d ,
- 43. Safety Injection (S signal) y.
t , Emergency Diesel Startup (S signal) h .' Containment Ventilation Isolation
.a '1 (S signal)
U ! i , Containment Isolation Phase A (S signal) q Containment Isolation Phase 3 (P signal) Containment Spray (P signal) Small LOCA/ SGTR Main Feedwater Isolation
- (all S signals) Emergency Feedwater I.s, Safety Injection _ .i Emergency Diesel Startup Containment Ventilation Isolation
- l 9 : Containment Isolation Phase A l $1
- 1. 21 i t! I yl Steam Line Break Outside Same as Small LOCA/SGTR with addition
,j Containment of Main Steam Line Isolation ,4 1 ;
Transient Emergency Feedwater Actuation
-] .a 2 't .
The unavailability of the ESFAS due to testing, inspection and human errors performed during maintenance was not included in the SSPSA analysis. However, 11 . the unavailability of this system due to maintenance and connon cause failure 1 3.4-39
- m. w es w e.easse e-4 _ en ese e.4Wie # # em =
' - - - - * - ' * * ' ' ' * * * ~
. . . , .. . - -..-_.. e . .
-g j -
-w w en ee=.--
--Nm---++-*
- w. . , . . . . . . . . -,
m
- i. '
3 i l was analyzed. The mean duration of maintenance for an ESFAS channel was 14.5 a O hours and the maintenance intervai was 5.4A years. The generic beta factor of j 0.125 was used to quantify the unavailability due to coamon cause failures of the ESFAS relays. f]; w jE { During our review of the ESFAS failure equations derived for the various k; initiating events and bounda;ry conditions we discovered that the pwoer
+ .
ij l: supplies to the slave relays were not properly included. The SSPSA indicates y j that these power supplies are accounted for in the SSPS analysis, but their e , accounting is not correct. The failure of a single power supply will not [
! disable the matrix elements, but it could render the slave relays incapable of
{ '
,9 transmitting the ESF signals. For boundary condition ESFAS(1), the failure of
.I 4 both instrument buses (IA and 1B) will result in no signals to the ESF
,_. equipment. For boundary condition ESFAS(2), the failure of a single (l
instrument bus will fail the system. The power supplies to the master relays - 3 are accounted for in the SSPS analysis since failure of the two instrument buses to each train will also fail th'e master relays, assuming they are DC 4 .6 powered. l .) .
- l. We included the additional ters .to the ESFAS failure equations and requantified the systuu unavailabilities. The revised unavailabilities for j the ESFAS are given in Table 3.4.5-1 along with the values reported in SSPSA and the point estimates we calculated using their equations and data for
% :i comparison.
< se n
i. j ij C . l lq 3.4-40 i ,I l . . , .. .n. .~..y , op .s, , . ;.mpd y p m .---- - w e- - e~ - - ~ ,= ~e
- ....w,..- ,
-t 3.4.5.3 COMMENTS O .3 : The SSPSA analysis of the Reactor Trip System is valid, accurate and I
i i : complete. The dominant contributor to the RTS system unavailability is the
- c. t common cause failure of the trip breaker to open, resulting in tiie lead screw
]
n
$ remaining engaged on the control rod cluster assemblies.
M < a The analysis of the Solid State Protection System and the Engineered Safety s]. d Features Actuation System, however, contained many discrepancies concerned I.j
;! with the actual configuration and operation of these systems. The system descriptions given in the SSPSA did not indicate a good understanding of the u workings of these systems. The system models did not accurately represent all of the possible system failures.
t i
!O j We reworked their models and derived revised point estimate of the hardware a] !
i unavailabilities using hand calculations. The results of our analysis are given in Table 3.4.5-1 along with the results of hand c' alculations using their
.. L ') ! models and point estimate values. A comparison of the point estimates we O f 61 l derived from their models to the point estimates for the revised models given 9 e fl l in this table indicates large differences in the SSPS analyses, and R .
3 , insignificant differences in the ESFAS analyses. The main contributor to the q , 7 differences in the SSPS analyses is the fact that the matrix elements are
+j ?
- { ,
powered from two redundant sources that receive power from two separate j instrument buses. The contribution to the SSPS unavailability due to the independance of the input relays was insignificant due to the 2/4 and 3/4 j ! logic trip requirements. Our revised point estimate of the SSPS has been (] combined with the other contributors (testing, maintenance, etc.) to system l 3.4-41
?
I n- .
- . v y , 3-- :. . _
. I i
1 unavailability and presented in Table 3.4.5-2 along with an indication of the dominant contributor. Also given in this table are the combinations of the
'O ,j !
hand calculated point estimates using their models and the other contributors. t'5 ,
? -
. ")i. . , ! Inspection of Table 3.4.5-2 indicates that for the SLOCA, SLBI and SL30 initiating events with all support systems available, our revised point b) estimates of the SSPS system unavailability are an order of magnitude smaller
,, .I fi } than the point estimates calculated using their models. This difference is V4 [
$ ; due to these cases being dominated by hardware failures. The differences in af d
'O
. the other cases are small since they are dominated by eitner human errors
/ performed during testing and maintenance or the system being unavailable due
!? to testing. 3 l- . j , , The 43 top event sequences that contribute to core melt weae reviewed to ,
! U~ .
determine if this decrease in SSPS unavailability would affect the core melt'
. r 1
> 1
-; ! frequency. There is only one non-seismic event sequence that involves the ii E4 -
SSPS system in this list. This sequence is an ATWS initiated by a loss of
.t d:.1 - t main feedwater with failure of both trains of the SSPS. Since the differences '4 I
V) i in the SSPS unavailabilities for the transient initiating events are small, it . Si this cursory analysis indicates that the core melt frequency will not be ! ,%q 4 p?: J affected by the errors contained in tne SSPS analysis. Lj .i j ' 1 i ,q '; In addition, each plant damage was reviewed for dominant non-seismic sequences % l containing SSPS failures. The only plant damage state that contains these H.3 !
- .4 i l failures is 3D (early high pressure core melt with no RWST injection and no containment heat or fission product removal). Three sequences were i identified; RT (Reactor Trip), ATT l A WS initiated by a Turbine Trip) and 1 i is f? .
a i
+
3.4-42 s
..,.....;. ..n. , - - . = - . - . - - - - -- - - - - - - - - - ~ ~
i
! ALOMF (ATWS initiated by loss of main feedwater, identifiec above). Since all L]
s ' i these sequences are transient initiated, discrepencies in the SSPS hardware s..] .
. (, l unavailability should not have a significant effect.
4 , We, however, feel that a complete reanalysis using revised unava11 abilities
't cJa 7.j for the SSPS and ESFAS should be performed to ultimately determine the effect N .s E.1 ! on core melt frequency and plant damage states. .A .
t 1) p : 4 r1 M.,. . ,
,) .
I i
- o O -
l- ,1
# t i
l "l, i t
$ l
- t
' .l 4
1.2 1 1 i.I l C' i se
.t k-./
3.4-43
..-............_.._.....y_ .
.,._..,2, _ . _ . . , _ . _ _ , _ _ _ _ _ , , , , _ , , .
q _ _ _ . . . . . _ . . . - . . .-
; J ^[
- I I
t TABLE 3.4.5-1 4 :s (D
,J REACTOR PROTECTION SYSTEM
'} .
'. MEAN UNAVAILABILITIES j {
M ! RTS M j RT(1) 3.89-5 3.24-6 --- ---- 5.10-4 5.55-4 2.71-5 ---- M i RT(2) 4.67-3 -- -- ---- --- 4.67-3 4.67-3 ---- 3 RT(3) 5.43-6 -- ---- ---- - - - 5.43-6 5.43-6 -- 1.4.-
}, SSPS N LLOCA SSPS(1) 8.21-7 3.66-9 1.77-9 3.94-4 -- 3.95-4 1.78-7 7.29-9 W .!' MLOCA SSPS(2) 4.24-4 6.25-4 1.04-5 3.94-4 -
1.45-3 5.22-4~ 8.54-5
<,g g SLOCA SSPS(1) 8.50-7 3.66-9 1.77-9 6.61-12 -- 8.54-7 1.78-7 7.29-9 , SSPS(2) 5.21-4 6.25-4 1.04-5 6.61-12 -- 1.16-3 5.22-4 8.54-5 I SGTR SSPS(1) 8.50-7 3.66-9 1.77-9 2.07-6 ---- 2.92-6 1.78-7 7.29-9 ~
8 SSPS(2) 5.21-4 6.25-4 1.04-5 2.07-6 --- 1.16-3 5.22-4 8.54 5 SLSI SSPS(1) 8.21-7 3.66-7 1.77-9 3.94-4 - - - 3.95-4 1.78-7 3.24-8 1 SSPS(2)~4.24-4 6.25-4 1.04-5 3.94-4 --- 1.45-3 5.22-4 8.56-5 SLB0 SSPS(1) 8.50-7 3.66-9 1.77-9 6.61-12 8.54-7 1.78-7 7.29-9 O . SSFS(2) 5.21-4 6.25-4 1.04-5 6.61-12 1.16-3 5.22-4 8.54-5
! TRANS SSPS(1) 8.50-7 3.66-9 1.77-9 2.07-6 -- 2.92-6 1.78-7 /.29-9
,j SSPS(2) 5.21-4 6.25-4 1.04-5 2.07-6 1.16 3 5.22-4 8.54-5 a
[ i .! ESFAS lV !Q LLOCA ESFAS(1) 4.05-5 --- 6.91-6 -- 6.63-5 1.14-4 1.39-5 1.39-5 g I - MLOCA ESFAS(2) 1.13-2 3.04-4 -- -- 1.16-2 1.13-2 1.14-2
'U SLOCA ESFAS(1) 3.43-5 5.49-6 --- 6.78-5 1.07-4 1.11-5 1.11-5
! ESFAS(2) 8.92-3 -- 3.04-4 --- -- 9.34-3 8.92-3 9.01-3 Ml 9 1.11-5 1.11-5 d j SGTR ESFAS(1) 3.43-5 5.49-6 -- 6.78-5 1.07-4
,W. ESFAS(2) 8.92-3 3.04-4 -- 9.34-3 8.92-3 9.01-3 . ,:;t '! 4 SLSI ESFAS(1) 4.20-5 -- 7.35-6 -- 6.51-5 1.14-4 1.46-5 1.46-5 3 '" 9 ESFAS(2) 1.21-2 3.04-4 --- 1.21-2 1.21-2 1.22-2 7 ' 5.94-6 6.62-5 1.08-4 1.18-5 1.18-5' SLB0 ESFAS(1) 3.63-5 - - - -- i ESFAS(2) 9.65-3 -- 3.04-4 -- -- 9.95-3 9.64-3 9.73-3
,, . TRANS ESFAS(1) 1.89-6 --- 3.29-7 -- 6.05-5 6.30-5 6.90-7 6.97-7
.a
(.s) ESFAS(2) 9.65-4 -- 3.04-4 --- 1.27-3 9.64-3 9.73-3
.a O
! 3.4-44
.i
*i b . . g . . _. . _ _ .. .. ,,..., .
.e. .
--e.. e m...m. ..,...m - . .
.I ,,
1
', l (~) Table 3.4.5-2
't SSPS TOTAL POINT ESTIMATE UNAVAILABILITIES
.* ?
; INITIATING BOUNDARY SSPSA POINT REVISED POINT DOMINANT
$ l EVENT CONDITION ESTIMATES ESTIMATES CONTIBUTOR Pf g M ,
3.94-4 Human Error V LLOCA SSPS(1) 3.94-4
'*: MLOCA SSPS(2) 1.55-3 1.11-3 . Testing
%. .1
-[ 4 1.83-7 1.27-8 Hardware
. SLOCA SSPS(1) 3 SSPS(2) 1.16-3 7.21-4 Testing n
-3 ! SGTR SSPS{1) 2.25-6 2.08-6 Human Error 1.16 3 7.23-4 Testing j SSPS(2) ,
.I e SLBI SSPS(1) 3.95-4 3.g4 4 Human Error SSPS(2) 1.55-3 1.12-3 Testing
, SLB0 SSPS(1) 1.83-7 1.27-8 Hardware
.i SSPS(2) , 1.18-3 7.21-4 Testing
. .< ~
.O 7 TRAxS SSPS m 2.2s-6 2.08-6 aumaa Error i
SSPS(2) 1.16-3 7.23-4 Testing 3 . l -% + l' h
*l .
(;3 tfY i .5 ? t i ~2 -l 's !?d . ,.3 "t
. 't i 1
l '11 i .} 4
-4 l
3.4 45 ! ' =
... .. . . . , .. 3. 7 - -.. ...-w....----.- - -- -- - ~ - - - - - - - - - ~ ~
' ~
~ .:. . . - - -
.u. . , . .
i 3.4.6 CONTAINMENT ENCLOSURE AIR HANDLING SYSTEM i (}
^
3
- 3.4.6.1 SYSTEM DESCRIPTION
)
O $b For the purposes of this study, the containment enclosure air handling system
. -i 1 I5 .l (EAH) consists of the containment enclosure cooling system and the containment d 'l fj . enclosure emergency air cleaning system (CEEACS). The containment enclosure i-} -l .. 4 :t cooling system provides cooled recirculated air to maintain room air
+ temperatures no greater than 148* F for continuous operation of equipment ] I during accident conditions. - The equipment areas cooled include charging pump l l areas, safety injection pump areas, residual heat removal and containment spray equipment vaults, and the containment structure annular enclosure f'
;I , - area. The system consists of two redundant trains, each having supply and j return fans, a return damper, inboard and outboard isolation dampers, and a
. cooler unit supplied by a train of primary component cooling water. One train j 4 of the containment enclosure cooling system operates continously while the i i 8
other train serves as a backup. The system is isolated from the primary D auxiliary building on a T signal. a :, The CEEACS maintains a negative pressure within the containment enclosure
- f. i during emergency conditions, removes and retains airborne particulates and y.J radioactive iodine, and exhausts filtered air to the unit plant vent. It l0 .
'y consists of two redundant trains, each having an exhaust fan and a filter
? . - unit. During normal operation the system is in standby. Both trains are *q j automatically started en a T signal.
Ld
*- )
\ :,
's 3.4.46 , i
... . . . _ . . . .s.,._.. . . -. .. . . _._.~... -- .-- -- .----e.----
m ---- -- , ,..m , - - - . ,,, .- , ,. - - , - - , - . ,
~
1 < 3.4.6.2 SYSTEM ANALYSIS (_..)
^
- The fundamental assumption in this SSPSA analysis is the following.
y
.'j- "Failurt of the containment enclosure cooling system to operate for 24 hours l M
is assumedt 'o cause the long term failure of the components listed in Section
]4 is D.7.1.1 of this analysis. The requirement for ventilation can be evaluated j
7i i later if this requirement is a major contributor to system unavailability."
'3 . ?S .
7q ! Six cases are evaluated for CECS unavailabil.ity, and two cases for CEEACS
?)
- s i.I - unavailability.
- N I
- c. 4
- Boundary Condition 1A : All support systems available.
- ' EAH-1A = 1.89E-5 Hardware (PAH to EAH isolation dampers) contribute m 89%, maintenance 11% . -
U .
; EAH-6 = 1.33E-5 Maintenance (one CEEACS filter uni _t) contributes 1
76%, hardware 24% .
- Boundary Condition 1B : Loss of offsite power, all support systems T.s available.
d 5j i EAH-1B = 1.47E-4 Connon cause (starting of fan units) contributes N ' 77%, hardware 151, and maintenance 8%' .
$.( ,
d
- Fil Q
- Boundary Condition 2 : One ESF bus and one T signal available.
M L'2 EAH-7 = 4.88E-3 Maintenance (one CEEACS filter unit) contributes - M 70%, hardware 30% .
'.f. .
- s. ,
- Boundary Condition 2A : Loss of one T signal, offsite power available.
[.4 fci, EAH-2A = 8.20E-4 Hardware (failure of a single PAH to EAH isolation ii 2 ( .. , damper) dominates maintenance. .j ':p ,a ' ;e l.. 3.4-47 l.$
'1 ,
7,
- _._.....4. . . ._-- , . , . .. .. _.
-. . , - ~ . . . . , . . . - .. . ,
+
. a. ,__ - -
+- - n. - - - - - , , - ,,-,e- rv= -
en- <-- w,w------ -
e i 1 a
~
*
- Boundary Condition 23 : bss of one PCC train, offsite power available.
(3> EAH-2B = 7.58E-3 Maintananca (stan:ty fan train) contributes 67%, hardware 4
,3 33 .
- Boundary Condition 2C : Loss of one PCC train anc one i signal.offsite power available.
If.
' Maintenance (standby fan train) contributes 61%, hardware j EAH-2C = 8.38E-3 3:,4 i 395 .
1
,M l
- Boundary Condition 2D : Loss of offsite power and one PCC train, or
. %q -
.> l
] [ loss of one ESF bus.
, EAH-2D = 7.58E-3 Same result as case 2S.
p ' 4
. 3.4.6.3 COMMENTS
- There are questions and inconsistencies in the quantification of blocks C and C' in the equations for EAH. From SSPSA Table 0.7-5 on page 0.7-28, block C
~
d ; consists of the 4 normally open PAH isolation dampers, 2 normally closed gj isolation dampers, and 12,normally open fire dampers. The isol& tion damper x; , j failure mode is failure to transfer to the failed position. Block C' consists r.s of exactly the same components with the same failure modes and >d !?j -i unavailabilities. However the total unavailability for block C is 1.53E-5 m 3~; ! while block C' is 1.34E-5. No explanation is provided for this apparent
- g discrepancy.
l [y; In the equations for EAH unavailability, block C is used when offsite power is H {j available, and block C' is used when offsite power is unavailable. However, b. 9 , ,J (s. 3.4-48 l l;' , _ . . . . . . _ . . . . . . _ . . . . _ . - - - - - - . - . fI - , , , , . . .
.3. .. . .
,.-,*T..'.
* * ~ * " ' ~ ~ ~ ' * ~ ~ ' ' "" ~ ~ * ~ ~ ' ' ' ' " ' -
l [-
._. _. ... ,; . .. ~ . _ - .. a. .
y 4 the dampers function the same under either condition. All six isolation ( . . dampers change position on either a T signal (offsite power available) or on
.a s ; loss of instrument air caused by loss of offsite power.
4y N This interpretation is drawn from the following statements. From page Of i D.7-3: "The pneumatic dampers require compressed air for normal function.
> I hjy .
Each pneumatic damper moves (on loss of instrument air) to a position which 2.} 'j does not interfere with the function of its system during amergency g operations." From page D.7-7: " Failure to isolate the containment. enclosure y
+ area cooling from the auxiliary building air handling system has been defined for this analysis as a failure of two isolation dampers (one supply an'd one .} ,
fl exhaust damper) to shut following a i signal actuation or loss of the 4 respective ESF bus."' L
, ('
v Sinca blocks C and C' appear- to be identical, there is no reason to i y j distinguish between them in the unavailability logic equations. Since no dA
, explanation is given as to how these blocks were quantified, we cannot check N '
their differing total unavailabilities. However errors in block C or C' '31
'd i could affect the results for : case IA, where block C contributes 93t of ni l.
hardware unavalability; and case 18, where block C' contributes 62*. of 4 .j hardware unavailability. }A "
,:Q We can define block C failure as : (PAH-OP-35A
- PAH-OP-358) + (PAH-OP-36A
- dl d PAH-OP-368) + (EAH-OP-37A
- EAH-OP-37B) + 12
- fire damper failure rate ; 2 of 7 .
d 2 supply dampers fail or 2 of 2 exhaust dampers fail or 2 of 2 charging pump 2 l ,'1 . exhaust dampers fail or 1 of 12 fire dampers fails. Using the mean
- c. .
f ( unavailabilities as a point estimate we obtain the unavailability for block C i o 3.449 l-l:' . ____ _ _ _ ._ .__ ._.. .__. . . . . . . _ . . . . . . . .
- t. _ ._ . _.. _ __ -.
. ,, . . _ . , , y.. , . . . . ~ . . . - - - .-.,=- __.
as 1.23E-5. Requantifying cases 1A and 18 with this value for block C gives h hardware unavailabilities of 1.35E-5 (reduced by 18%) and 1.84E-5 (reduced by 15%) respectively, i 4 No further mention is made regarding the fundamental assumption about the need n
.3 for ventilation. No explanations are given disputing the significance of -s g :,
ventilation as a contributor to the unavailabilities of other systems such as
;i emergency core cooling. Therefore we believe,an analysis is needed to 9]. establish the validity of th'e ventilation assumption.
3 . 3.4.7 EMERGENCY CORE COOLING SYSTEM
- s 3.4.7.1 SYSTEM DESCRIPTION ,
The emergency core cooling system (ECCS) is designed to remove stored and f j] fisson product decay heat from the reactor core during accidents and y transients. The ECCS consists of the Safety Injection (SI) system, Y
.U Accumulators, the Residual Heat Removal (RHR) system and a portion of tne
'.g Chemical and Volume Control System (CVCS). Each of these systems have a particular operating pressure and flow rate charateristic that requires their gj use for specific accidents or accident phases. Y 9 .--.a' ; ~.1 The SI system consists of two independent trains that take suction from the
.? ! refueling water storage tank (RWST) during injection and the containment
)
4 (- recirculation sumps (CRS) during recirculation (in conjunction with an RHR j 3.4-50 1 4
. - - - - - ...,,-.-,,,m _. - - - - - . - - , - - - - - - , . - - - - - - - -
.n . . .
. ,y -
. ~
t
- pu.mp). Each .SI train consists of a centrifigul pump, valves and interconecting
(!% ' piping. The dicharge of both SI trains join a single valved header before ij connecting to the four RHR injection lines on the cold legs of the reactor leg
']0 injection, SI train A dicharges to reactor coolant loops 1 and 4 and train B -A to loops 2 and 3.
1'l : C1 l
,1 - .j -
Both SI pumps are motoe-driven and each is powered from a separate 4160v
; ! emergency bus. The design pressure of each pump is 1750 psi with a shutoff 3'
j j discharge pressure of 1537 psi. The designed flow rate is 425 spn at 1170 psi
;< 1
!d and the maximum flow rite is 650 gpm at 715 psi. Each pump discharge line is
'J j .
]i . provided with a miniflow recirculation line that joins a common header leading ,
j to the RWST. Lube oil cooling for each pump is provided by the containment enclosure cooling system. (. The SI system is normally aligned to take suction from the RWST and discharge
, : to the RCS cold legs. For this alignment. .all valves in each train are
'i - , 4 normally open while check valves prevent backflow from the RCS. When an d' :
- )a ,
accident condition is detected, the.ESFAS provides signals to start the SI n , L*) - pumps and confirm the valve alignment for cold leg injection.
;-)
}'
i.? l d . Each of the four accumulators contains 850 cubic feet of barated water at a 4 lj pressure of 650 psi. During an accident, each accumulator injects into a
- .-f
- f separate RCS cold leg when the primary system pressure drops below the tank q
f;j pressure. Each injection line is provided with a motor operated valve (MOV) 3 to isolate the associated accumulator during normal plant cooldown.
- I hd 1
l 3.4-51 i
......, ,- . .w., . , . - - - . ..4,.._... .m.. . . . . . ~ . . . ~ .
-, , , - - . - - - - - . . . ,- ,-r .-v -- , - , - - , - - - , - - , - - ,
.4 _ w. . . . . . - '4 i The RHR system consists of two separate trains that have the same suction .? ..
I \m' . sources as the SI system during both injection and recirculation. The two RHR l N
'.i; suction lines from the RWST also supply the containment building spray i pumps. Each RHR train contains a centrifugal pump, a heat exchanger, valves j and interconnecting piping. During normal plant operation, the RHR system is
- p 1 j in standby and aligned to take suction from the RWST and inject into all four
- y. . RCS cold legs. Flow through each RHR heat exchanger is controlled by a 7 ,' normally closed air operated valve located on the heat exchanger bypass line.
d 1 ' On the outlet of each heat exchanger is a normally open air operated flow f:3 0 .. control valve. A miniflow bypass line for each train is provided to protect the pumps. Valves on these lines open when tha flow on the main line is less
.. than 500 gpm and close when the main line flow is above 1000 gpm. A cross-connection line allows flow transfer between the two trains through two
. . . normally open MOVs.
<; i .,
During the recirculation mode, the RNR pumps take suction from the CRSs q through two normally closed MOVs. For cold leg recirculation, coolant is 'E} y . supplied to the RCS through the same piping configuration used for cold leg D : injection. For hot leg recirculation, coolant is supplied to the RCS hot legs j y';A 1 1 and 4 For high pressure recirculation, the RHR pumps are required to i supply coolant to the intakes of the SI and Charging pumps. s , ' t .i. g I?' For normal plant cooldown, the RHR pumps can take suction from the two RCS hot d legs and discharge through the heat exchangers back to the RCS cold legs. b This normal RHR shutdown cooling mode is used to provide long tenn ECCS
. cooling.
1 . l C ,3 4 l 3.4-52
. w .
. _ , .., . a = = . . . . . - - - . . . -
j - . i t j Both RHR pumps are motor-driven and each is powered from a separate 4160v
'3 .y emergency bus. The design pressure of each pump is 600 psi with a shutoff j discharge head of 195 psi. The design flow rate is 3000 spm at 163 psi and 4
9 - the maximum flow rate is 4500 gpm at 141 psi. Each pump's mechanical seals 1
. and associated train heat exchanger is cooled by .a separate PCCS train. The
.s
- 'i pump seals and the heat exchangers only need cooling during the recirculation
.t. 84 mode of operation. During periods of miniflow recirculation, cooling to the d heat exchanger must be provided. d3, m ' When an accident situation is detected, the ESFAS provides signals to start h( the RlR pumps and align the system for cold leg injection.. When a RWST low-low level signal occurs, the ESFAS provides the signals for switchover from the injection mode to the recirculation mode. Manual actions are required to q align the RHR pumps discharge to the SI and Charging pump's intake for high gJ^ pressure recirculation. The portion of the CVCS that operates as part of the
. : ECCS consists of two independent pump trains and a common boron injection tank 5
o.1 (BIT). Each pump train takes suction from the RWST during injection ,and s consists of a centrifugal pump, valves and interconnecting piping. The 5 discharge of each train joins a common header that leaos to the BIT ano a
/j ?
g 7 valved bypass line. The BIT is provided with a recirculation system that cons'ists of isolation valves, two recirculation pumps and a surge tank. The Y
$ discharge of the BIT and the bypass line join a comon header before branching ll yl to the four RCS cold legs. During high pressure recirculation, the centrifugal charging pumps take suction from the CRSs in conjunction with the RHR pumps.
':)
'd' 3.4-53 i
~~
! Both centrifugal charging pumps are motor-driven and each is powered from a
}
1.m J separate 4160v emergency bus. The design pressure for each centrifugal 3 j charging pump is 2800 psi with a shut-off pressure of 2684 psi. The design 2 flow rate is 150 gpm at 2514 psi and the maxima flow rate is 550 gpn at 607 y
,j psi. A miniflow recirculation line for each pumps protection is provided dich d. .n-diverts flow fran the pump's discharge through the seal water heat exchanger fj and back to the pump's suction. Cooling for each pump's lube oil cooler is # . provided by a separate PCCS trains. The seal water heat exchanger is cooled
- 4 j by train A of the PCCS. Each centrifugal pump room is cooled by the containment enclosure cooling system.
The BIT contains a usable solution volume of 900 gallons with a nominal boric acid concentration of 21.000 ppm. The BIT recirculation system in conjunction 9
- l. g.,,.
with 12 strip heaters prevents boric acid stratification and settling. The G - recirculation path is isolated on receipt of a safety injection signal. l
~
l 1 During normal plant operation, tne two centifugal charging pumps are in . ;p
, f; standby and aligned to take suction from the volume control tank (VCT) and G ' '3 ' deliver flow to the normal charging path. A normally running positive .i displacement charging pump provides the normal charging flow and reactor .] .
coolant pump seal water injection. The standby charging pumps are l n.f !3 automatically started and controlled by the pressurized level control system lg if the positive displacement charging pump cannot maintain the proper level. tw h The positive displacement charging pung is powered by a non-emergency l[ electrical bus.
- .{
'i ^
f 3 1 V P l- 3.4-54
- e ... _ , .. . - . . - . . . . . - - - - - - - - - -
= _ . . . .
l When an accident situation.is detected, the ESFAS sends signals to start the km centrifugal charging pumps, isolate the VCT and normal charging path, open the jj normally closed suction valves from the RWST and align the BIT for injection 3 to the RCS cold legs. Reactor coolant pump seal water injection is maintained i
'?. during this realignment and provided by the three charging pumps. When a low- !.?
y low RWST level signal in conjunction with a safety injection signal is q ,
} present, the SIT bypass line begins opening. When the bypass line is fully
- 3. open the BIT is isolated. Switchover to containment sump rectreulation
'I .d requires manual alignment of the RHR pumps to the charging purgs' intake-us i piping.
The RWST is the main source of injection and makeup water to the reactor core
; while the containment recirculation sumps provide a source for coolant j recirculation. The RWST contains a minimum of 450,000 gallons of borated-i O water. The tw' containment sumps receive their coolant fram pipe breaks, ,
sprays, etc. inside containment. Each sump has a normally closed " canned" [ outlet MOV located in the piping tunnel that is opened upon receipt of a low-3 low RWST level signal in conjunction with an SI signal. i.i
}I :
y i oa . [j ~j .3.4.7.2 SYSTEM MODEL 3 i .y
'$ The ECCS appears as several top events in all of the initiating event trees.
3 Sj These event trees ask for the unavailanility of the different functions the 2:. ECCS is designed to perform. Therefore, the ECCS is not analyzed as an integrated system but rather as different configurations performing required (.s. functions for a particular initiating event. The event tree top events for d. s f 3.4-55 ee me seme- mess.=su. - ->a ee
.. . . .. . . . . . - - . . . . ~_..n.~, n.:e n . . . . .- ,, - .. . - . - .~. . - - .
-J .- , ; -_..--lL..-. ~.---
i 1 i. 2 t the ECCS are given below:
- (aD
.i 1
RW - Refueling Water Storage Tank
.3'
-,; HP - High Pressure Injection (SI and CVCS)
- i
. :s.
i RA - RWST Train A isolation valve
.~J 61 hj RB - RWST Train B isolation valve ,
d Id
.r1 L1 - RHR miniflow recirculation train A fj L2 - RHR miniflow recirculation train B l . .
i . ,. LR - RM Shutdown Cooling _ lt { t
- LA - Low Pressure Injection Train A m -
D , D i
'j ; i LS - Low Pressure Injection Train 8
!Q l I @ ..g 1 }j CSA - Recirculation Sump and Switchover Train A a 'li d i G ! j',j , CSB - Recirculation Sump and Switchover Train B
- e -
.g 3 j:-{ PA - Low Pressure Recirculation Train A without RHR Heat Exchanger l.* l-1 PS - Low Pressure Recirculation Train B without R$ Heat Exchanger
.) (J~.
t I
.I
, 1 3.4-56
-l
. . - . . - . w.. . ., ._ . ~ w - , -- A. . - .-.-- +-... ~ - =~ - .
l
j
- j l
. i
'h .
. j j (. HA - Low Pres'sure Recircualtion Train A with RHR Heat Exchanger i .
~:
- le - Low Pressure Recirculation Train B with RhR Heat Excnanger 4
d
,'j .
s' RC - High Pressure Recirculation ll2; t i s
.j ,
HE - Low Pressure Recirculation to RCS Hot Legs with RHR Heat Exchanger J
,im
- .a d , HS - Low Pre,ssure Recirculation to RCS Hot Legs with CSS Heat Exchanger
& i
. LS - RHR Train A Operation for High Pressure Recirculation
. L6 - RIR Train B Operation for High Pressure Recirculation Li j Logic models of the ECCS were developed for the different subsystems (or parts thereof) and combined.into overall failure models for the event tree top 2 i events dependent upon the required ECCS function, boundary conditions and the
.j ,
l ., . % j particular initiating event. The success criteria of the ECCS for each Q ( i initiating event is given in Table 3.4.7-1. h;fd,
j Reliability block diagrams were developed for the injection and recirculation
- G modes of the SI, RHR and CVCS systems along with an RBD for the Accumulators.
!;M y j Added to these are models of the RWST, containment recirculation sumps and the
. RHR heat exchangers. These RB0s were then used to derive failure expressions
+.
g.] for the 4 boundary conditions listed below:
-] l rm
'l .
V i ! l;4 3.4-57 i
.. . . . . . _ _ . . . . . , . ~ . ..... . . . . . _ .-_ _ _. . . _ . . _ . . . . . . _ .; _ ,.
4 5
- 1) Support system available for both trains, q.
i O 2) siectricai po.er or actuation sisnai avaiia.ie to oniy one train, - ! 3) Primary component cooling water available to only one train, ". ).
- 4) Only one containment recirculation sump or one. Rift pump is
?
f4 available. n N - ')j.) i The failure expressions sere then combined into overall failure ti . j']T i-
- 1 y3i M
e !. t . l. Y;' p t h Y.'t. e4
- eq
',, e e
r[' 'l 5Y
~a .
't 4 y 9 (~
)..
(/ .
~:
l 3.4-58 1
~ * *
.. . . . + . .um o e * ,-ameum.*****=*= ~ -* * *
. ,gp,, , . . . =- .
.,--7...-..w,7*,.s,.e.,' .n s *
~
-e- = . %.e -we **" ~ ~ + ' ~ - T ' '* - "* ,- "' ,
"*7**-
9
---.w -
y, ,_y_ . _ . ,-. --
,,,.%y.
t 4 i i 2 I (] TABLE 3.4.7 1 ECCS SUCCESS CRITERIA 4 i AND MISSION TIMES J.i , { INITIATING FUNCTIONAL SUCCESS . MISSION 3 ! EVENT MODE CRITERIA TIME
~1 .y . - . - ... _
LLOCA HPI NONE r I [ <
}
LPI 1/2 RHR Pump to 2 RCS Cold Legs and 1 Hour
'g l 3/4 Accumulators 1 Hour h! ;] ;
LPR 1/2 R$ Pump to 2 RCS Cola Legs 23 Hours
'j HLR 1/2 RHR Pump to 1 RCS Hot Leg 4 Hours MLOCA HPI 2/4 SI and CVCS Pumps to 2 Hours
! 2 RCS Cold legs J
LPI 1/2 Rm Pump to 2 RCS Cold Legs 2 Hours I/ LPR 1/2 RHR Pump to 2 RCS Cold Legs 22 Hours i SLOCA HPI 1/4 SI and CV3 Pumps to 6 Hours j TRANSIENT 2 RCS Cold Legs HPR 1/2 RHR and 1/4 SI and CVCS Pumps -18 Hour j to 2 ECS Cold Legs y Ig SHUTDOWN 1/2 R$ Pumps to 2 RCS Cold Legs 24 Hours 3 . COOLING r.1
! ATWS HPI 1/2 CVCS Pumps to 2 RCS Cold Legs 2 Hours .d l .- ----
5 i note: HPI = high pressure injection HPR = high pressure recircualtion
.!j LPI = low pressure injection
- l LPR = low pressure recirculation i HLR = hot leg recirculation i
.j t*
L;
) n' e
o l 3.4 59 I i j
. . .- , , . . - - . ,j e, v. mw. .. 4- ,- -=--. .4 **,ve.--.- s . .--we +. * ~ ~ ~ ~ * = + .
l equations for the event tree top events and quantified for unavailability due to hardware, test and maintenance, and common cause. The unavailability due
- to human errors perforned during test and maintenance was considered for the
. HPI function since the SI pumps' manual discharge valves are closed during i
si j tes*ing. The contribution to unavailability due to piping failures was a ' i analyzed using failure modes and effects analysis and was found to have a A ' negligible effect.
} !
4 2 1 The ECCS mean unavailabilities for the event tree top events are given in j
]a Table 3.4.7-2. Also given in this table are the dominant contributors to these unavailabilities. Inspection of this table indicates that hardware failures account for a large portion of the ECCS unavailability. ;
!O 3.4.7.3 COMMENTS II !
9
-l. .) ; '.j The systems analysis performed for the various subsystems and functional n
h
' combinations of the ECCS appears to be valid, accurate and complete. However, b
)) m., the many functional moces, boundary conditions and event tree top events along
; with the lack of correspondence between numerical values presented in the d I systems analysis section and the event tree input coding tables makes the M i O analysis difficult to follow.
Q l' q p, j Il,; { We disagree with the high pressure injection success criteria used for the i' , SLOCA/ Transient initiating events. The criteria used in the SSpSA is 1 of the i 4 SI and CVCS pumps delivering water to at least two cold legs for 6 hours. 1 C The SI pumps, however, will not be able to inject coolant into the RCS until 3.4-60 i:
. . . . .. . - . ...,.. m , . - . - ~ - - . ..++-.y.,----..------------ -
,- + - , .- , . . , - --.- -
.._ .. ~.
,f
-...... ..m...__-
I i the pressura drops below 1537 psi. For a SLOCA or Transient, it may take many 1 j -(l s.- hours for the RCS to reach this pressure without manual actions. Therefore. 2 i j l the high pressure injection criteria for this case should be 1 of 2 CVCS pumps
.n delivering coolant to two RCS cold legs for 6 hours. Using this revised
? !
'.' i criteria and the SSPSA data produces point estimate hardware unavailabilities
< /,I y for the SLOCA/ Transient HP top event as.much as three orders of magnitude
}.! larger than the values reported in the $$PSA. A comparison of the point q!.1 - estimate unavailabilities for the SSPSA HP criteria and the revised criteria
]'j is given in Table 3.4.7-3.
.l l l-l f
t Upon inspection of the top 43 sequences that contribute to the core melt frequency, the top event HP, only appears with an unavailability of 1.0 (i.e., having failed due to a failure in a support system. Therefore, it does f [ - not appear that the discrepency in the high pressure injection criteria for i ,- I the SLOCA/ Transient initiating event has any significant affect on the core
-1 ,
I melt frequency. An inpection of the top sequences for the release categories ..3- produced similar results. '. l 4 l5
- -?
l f t u. (N d GT i e d .I i
- ) .
A 1 m : d I d !. o e
.I e" 3.4-61 i
l 'i L. . . ..___.,.._-...___.__.__%.__._,..,..._. . ..-..- . .-
i I Table 3.4.7-3
, COMPARISON OF POINT ESTIMATE
(~]
, , UNAVAILABILITIES FOR SLOCA/ TRANSIENT HIGH .1 .
PRESSURE INJECTION
. BOUNDARY REVISED SSPSA SSPSA REPORTED f CONDITION POINT ESTIMATE POINT ESTIMATE MEAN UNAVAILABILITY
. ,1
~
}.
.li j 1 Hardware 7.15-4 4.58-7 4.88-7
'I I
Total 7.16-4 1.00-6 1.03-6
.t
't .
" 2 Haraware 2.27-2 1.24-4 1.41-4 6 . .
i; Total 2.2S-2 1.78-4 1.95-4 1 i j 3 Hardware 4.78-3 2.37-5 4.56-5 l <# Total 4.80-3 4.72-5 6.41-5 O . t 6 1 i N
- s a
?g y . )
I
, 0 ':4 :
q , m , 0
'li '
y1
. . i.
f.
'I f
4
?
i ! s' 3.4-62
.i .j e - e eer o e ae
- v-ws e w- ----y- -
-p w i ,,. , . - - - - - - , - ,
- - - + - -
r c. , -,.,9-i,,. 1- a w+-w -, - -+- -: --r
I i t TABLE 3.4.7-2 : + h- ECCS MEAN UNAVAILABILITIES
-, 1 AND DOMINANT CONTRIBUTORS l TOP BC. LLOCA D MLOCA D SLOCA/ 0 ATWS 0 .d! .} EVENT C C TRANSIENT C C H j e t, .]
j RW 1,2,3 2.66-8 HD 5.33-8 HD 1.60-7 HD -- -- j HP 1 - - 2.43-5 HD 1.03-6 HD/CC 1.06-3 HD q ! 2 - - 3.21-2 HD 1.94-4 HD 2.52-3 HD
, l 3 -- - 1.35-2 HD 6.41-5 HD 6.52-3 HD 1 - l' RA,R8 1,2,3 3.35-5 HD 3.36-5 HD 3.39-5 HD - --
t
- I L1,L2 1 - - 5.07-5 HD/CC 5.49-4 HD/CC -- --
) , i.
2,3 --- - 1.49-2 HD 1.51-2 HD --- --
. j LR 1 - - - - 6.21-4 CC ~ -
.I 2 - --
~
] .
Q 3 - - - - 1.12-2 HD - .
! LA L8 13 4.35-3 HD -~ ~ ~ -- -- -
~! E 1.23-2 HD - - - - - --
>: LA,LS l'd ; Single .
- Train 1,3 5.64-3 HD -- - - - - --
,' : CSA CS8 1 2.25-4 CC -- - 2.19-4 CC - --
- 2,3 4.86-3 HD -- - 4.30-3 HD --- --
Lg '/.. ( - PA P6 1 2.21-4 CC -- - 1.71-4 CC - - l.5 2,3 1.14-3 HD -- - 9.60-4 HD -- -
- D -;
i; HA,le 1 2.19-4 CC - - -- -- - -- 4l 2.3 4.31-3 HD - - - - --- -- HE,HS 1 7.51-7 HD - - -- -- --- --
', .j 2,3 1.12-6 HD - - - - --- --
p}*-
; RC 1 SI
+ j[ ' TRAIN 1 -- - - - 2.54-8 CC --- --
'l NO CVCS 1 - -- - -
2.74-8 CC --- -- P
'J 2 -- - - - 1.18-6 HD --- -s i
i.
; 3.4-63
- n i
pu OO*
- k 5 N $ O'
- hM fA D h'" f ,,
,y, .. _
8 - c ,_
,--_._,___'g'. p :
. = . _ . . _ . . _ _ . _ . _ _ .
l. l. { l 3 -. - -. - 1.11 6 HD -_. -.
' ( \
! *s TRAIN B CRS or
! RHR and SI
, ; TRAIN A 4 - - --. - 3.36 6 HD -- -
e
-i SI i
! TRAIN 8 4 - - - - 2.86-8 CC -. -
I n'
! .l ND qvCS 4 - - - - 2.96 8 CC - -
1 1
'! TRAIN A ' .j CRS or
- t. RHR and 1 I SI TRAIN 4 - - - - 2.55-8 CC -. -
{ ; e
-4 l
., ND CVCS 4 - - -- - 2.44-8 CC -- --
3 i : .
} L5.LS 1 -. - -- - 1.72-4 CC -- -
2,3 l _- - .- - 1.07-3 HD -_. - 1 note: BC = boundary condition DC = dominant contributor I (') le = hardware CC = common cause , 4 - 1 l i Y b.I !
,A 4 ' s.
,)
.;i -
, ,t
.A
- t
'6 $l (
e
,q. t I i I
lI, l
, ,-~
t v 3.4-64 I 94 . * * . . = = m - .f .-p.- = p-P ,
'W ' M'88'#8*#'******* '
"I Y *#"*" *T4"'"
~
= . . _ . . _ -
t
,-~.
3.4.8 EMERGENCY FEEDWATER SYSTEM ll 1 3.4.8.1 SYSTEM DESCRIPTION
?
i !J The Emergency Feedwater (EFW) System provides for heat removal from the reactor coolant system (RCS) through the staan generators (SG) during 1] a emergency conditions when the main feedwater system is not available. The EFW '1
.j system must be capable of reducing RCS pressure and temperature so that the RHR system can be used for decay heat removal and long term cooling.
h g
; The EFW system consists of two emergency feedwater pumps, the start-up feed t
pump (SFP) and associated valves and piping. One EFW pump is motor-driven and receives power.fran a 4160V emergency bus. The other EFW pump is turbine-(' ~ driven with steam supplied from two of the four steam generator. The start-up ] feed pump is motor-driven with power from a non-emergency 4160V bus. 't 1 i . d All three pumps take suction from the condensate storage tank (CST). The capasity of the CST is 400,000 gallons, half of which is reserved for use by E} 3 the EFW system. n. 1 $ Each EFW pump has sufficient capacity to supply 100% of the required flow for l}
.i decay heat removal. Each pump is cooled by its discharge flow and contains a ,.j e ,d recirculatica line to the opposite pump's suction to prevent pump runaut. The c '- start-up feed pung has twice the capacity of each EFW pung and its lute oil is cooled by the secondary component cooling (SCC) water system. The SFP has a recirculation path to the condenate storage tank.
- z. .,,..
.s 3.4-65 l
. . . . . . . . . . . - - - - .-. ~ .p.,
3 O During EFW system operation, ::oth EF2 pur.p, discharge into a co,s.on heaeer
- which supplies four individual line, one to each of the four steam
,; generators. These lines join an associated main feedwater line dcwnstream of i
the feedwater isolation valves. Each SG supply line is equipped with a stop- ] ).j check valve, two normally open motor-operated valves in series, a manual,
}
normally open isolation valve and flow limiting venturies. The SFP is normally aligned to the main feed lines upstream of the main feedwater heaters .d
.t' through a normally open, manual gear-operated valve. The SFP can be aligned .] to the EFW header through two normally closed, motor-operated valves, sj . .
l . The two EFW pumps will start automatically upon receipt of a loss of offsite
]
power signal, a safety injection signal or a SG low-low level signal. .The SFP
.. will start automatically upon loss of both main feedwater pumps unless a
(""., -
, safety injection, loss of offsite power, or high-high SG signal is present.
-l. .
-l
'j ! 3.4.8.2 SYSTEM MODEL d - 3 I i M ; The analysis of the emergency feedwater system is used for the event tree top d I g ; event EF, emergency feedwater and steam relief. This top event appears in all
- i 1 1
{ the front-line system event trees except the Large LOCA tree.
- i's i
.' 1 !
N ". Two reliability block diagrams (RBus) were used to model the failure of the q EFW system. One R80 modeled the failure of the EFW pumps and tneir associated ]M '} flow delivery system and the other RBD, modeled the failure of the SFP and its associated system. The success criteria for the EFW system was defined as at
}
Q least one pump delivering flow to at least two out of four steam generators i 3.4-66 e , .. . m s .emse . was.e o _ am.e .-mes.>ow m * * *
- i .+..-- - .
. . - . -. . - - - --.-- :- - m + ---~.m -- v:-
....--.....,.,...,,,,.g.,\,.
l
, .. .. . . ~ . .
~
$ for a period 9 hours following accident initiation, except for some ATWS D,
. events. For these ATWS, it is necessary to achieve flow to all four steam i generators. The mission time of 9 hour was used because, as stated in the 3 SSPSA, this was sufficient time to cool down the RCS to allow RMt shutdown 3
cooling. 1
~l
. The R80 for the EFW pumps was used to derive three unavailability expressions:
4 I
.]
c{ 1) all . support systems available. EFW (1),
- 2) the motor-driven pump is unavailable. EFW (2), and, j
l,
- 5) the turbine-driven pump is unavailable, EFW (5).
1 The RSD for the SFP was used to derive an unavailability equation for only item 1 above, SFP (1). For the ATWS event, the analysis considered failure of (: two aditional flow paths from the EFW header to the SGs, EFW (6). The system ti failure models, given above, were then combined with the failure of the j i
.: condensate storage tank (CST) into EFW system failure models dependent on the ).= initiation event and/or the auxiliary system state for which the event tree top event, EF, was questioned. The system configurations, accident situation,
- d fj dominant contributor and unavailabilities presented in the SSPSA are given in
.1 ;
j j Table 3.4.8-1 here. 1 !
.t! ;
; The test and maintenance contribution to system unavailability was considered A
.l in the SSPSA. The analysis considered the EFW pu'mps being tested 14 times a i
year for a mean duration of 0.721 hours. No testing was considered for the
]
.! SFP or the valves in the EFW system. Maintenance of the turbine-driven EFW j pump was considered to be performed every 6 months and for the motor-driven 9
. 3.4-67 i <
t e... ee - ... e e. mesee = ==4m . ammmmm.
. - . .--. - _. . - - - . ,~.
~~
. 2
~
pump every 16 months. The maintenance duration for both pumps was taken to be
. 20.9 hours. Maintenance on the SFP was considered to be every 16 months for a
; duration of 5 days.
.4 Human errors due to test and maintenance were considered in the SSPSA. These
, ' .i 1 errors were failure of the operators to return the EFW p_ umps or SFP to an s
'i 1 1 e operable state following test and/or maintenance. In addition, failure to i
- discover the misalignment was also considered. Data fram the Handbook of l
'i 1
' Human Reliability Analysis with Emphasis on Nuclear Power Plant Application (NUREG/CR-1278) was used in the quantification. In our review of this SSPSA
! l.; 4 .
; section, the values given on page D.9-27 for the EFW pump unavailability due 1
- to test and human interaction were approximately two orders of magnitude lower s
than the values we calculated using their equations and mean prooabilities.
~
These unavailabilities,' however, are not signi.ficant contributors to the -
- 7. s.
overall system unavalability and, therefore, do not affect the results. No human recovery actions for this system were considered in the SSPSA, ' . ~.fl.
.y although realignment of a EFW pump being tested was allowed wnen a start
, ' ).
. signal was received at the pump. The procedures explicitly account for this I action. Not considering human recovery actions results in the following i) ;e i modeling assumptions:
i .'d I
,d .y 1). if the CST is found to contain insufficient water inventory during an 11 1.g accident, makeup is not provided from the domineralized water storage
'f tank or the water treatment water, and
,3 i
- j ,m v
l 3.a-68
.. . , . e.em e y . , - ~ . -- . e . -
v.~..--- e-m .eyo.~. =o-*~~- r - - ~ ~ ~ ve*~ ~ re
- e sa -y - ,e ~,-w--+--m-,---e en-, , r-~w---n p-m , , , -n,om w..
, 2) upon a loss of offsite power or closure of the main feedwater p
J isolation valves, the SFP is not manualTy aligned to the emergency j feedwater lines and its power is not changed from a nonessential to an essential electrical bus.
.1 d i
{ ( ; Comunon cause failure of the two EFW pumps was included in the analysis. A
! beta factor was developed for the pumps failing to run and applied to pumps i
, ! .I only, excluding their driver type (motor or turbine). The beta factor used l was 0.119. No other common cause failures wem included in the analysis.
)
1 l Dependent failures between the two EFW pumps were considered. If the turbine-
~
driven pung were to fail due to its steam line rupture, there is a possibility that the motor-driven pump's environmental qualifications could be exceeded.
., However, due the limited amount of piping involved and the small probability of piping failure, this failure mode'was not considered to be a significant
} contributor to the system unavailability. Turbine missiles from the turbine-l driven pump could fail the motor-driven pump.
- This dependent failure was not 1 - considered to be significant be.ause of the pump's physical arrangement (perpendicular) and the addition of a fire well between the two pumps.
m The failure of the EFW pumps and the SFP due to external ' events was analyzed. The analysis considered fire to be the only significant contributor 1e l to the unavailability of these pumps. Floods were not considered to have a
'.. significant impact.
- 3
,11 1 O e I
~J .
t 9 3.4-69
.m... . ~ . , , .-. . . .e ...;...-. . -. ~ .. ~ . . . . . . ~
s a . 4 i !
, 3.4.8.3 COMMENTS .
f]
.. t ..-
In. general, the system models and analysis for the emergency feedwater system i
'j - were valid, accuate and complete. However, w have connents on the way this
% . analysis is applied to the event tree top event, EF, and its combination with rf .
$ j the secondary cooling function of the main steam system.
- f i 3, t j ,
The event tree top event, EF, appears in all front-line event trees except the f Large LOCA tree. Upon inspection of the event trees input coding in SSPSA Tables 5.4-10 thru 25, many of the numerical entries do match any' of tre valves given in the EFW analysis section. The differences are due to '; combining the results of the EFW system unavailability expressions (EFW (1), EFW (2), EFW (5), EFW (6),SFP (1) and CST) and the secondary cooling analysis (SC (1) and SC- (2)) into overall functional failure expressions that 'a re (.,
~
tailored to the specific initiating event and a set of auxiliary system states ,i (represented by the auxiliary tree impact vectors). The functional failure I expressions and their results are given in the footnotes to the event tree -
,) ' ', input coding tables. While the functional success of the EF event is .~
j discussed in the event tree description section (5.4) and a dicussion of the
;t ! auxiliary state's impact on this event is given in tables in this section, we
/ i believe that the a discussion of the derivation and analysis of all the d ;
w : 7. I functional failure expressions and their results should be explicitly included
} ,
in the text Instead of a footnote. This would allow for a more comprehensive internal review and qualification.
;} .
i l We have reproduced the information given in the footnotes to the event tree j ,. input coding tables in Table 3.4.8 2 herein for all the front-line event t.ees t i 3.4-70
. . _ _ . . . . . . . . . _ . . . . .,,,,,_,3,.,. .
._..-._7
~
. . Is* ~ e I
L i '.r
- except the large LOCA tree and the seismic initiators. Table 3.4.8-2 also
.i O inciudes the Auxiii.ex Tree to,ect vectors (from sSPSA Tabie 5.4-2), a brief l description of the most limiting case of the auxiliary system state, the EFW 1
. configuration and failure expression used to determine the system y ! unavailability with respect to the auxiliary system state and initiating A
d event, the $$PSA mean unavailability derived from the failure expression and '1 1 the event trees dere the mean unavailability values are used. 4
?
- ; There were some discrepencies between the values given in the SSPSA ATWS LOSP iI input coding table (5.4-25b) and the footnotes given for those values. The
!i I values given in this SSPSA table for the 5,7,9, and 11 auxiliary impact vectors are 6.16E-4, while the footnote to these values indicates'a value of I 2.69E-2. In addition, the values given in this table for the 12,14 and 16 i auxiliary vectors are 6.16E-4, while the footnote indicate a value of 1.00. ,
- O The correct values that should be used for these entries are dependent on the _
~
j outcome of the previous event, turbine trip (OT). \ 6 d i Inspection of our Table 3.4.8-2 indicates that the SFP is considered available a.
only for some loss of main feedwater transients. This is correct since any
- ,.j '! accident situation with a loss of offsite power, or that generates an SI ii i
+.; j signal will render the SFP unavailable. However, upon further inspection, the 1 i SFP is considered available when there is a loss of all component cooling (PCC 'j 'c.'
.l i or SW) since it is being used for loss of main feedwater transients with i auxiliary impact vectors 4,11, and 16.4 loss of all PCC or SW will render the
^
! SCC incapable of removing heat from the SFP oil cooler and eventually cause
.a
- i ,
c .- i O I ; l! t
! 3.4-71
' . _ . . . . , , _ . . . . , . .,r . . . . . . _. , . , . . .
. - - . - . . ~ . -. - - .,...
- . a - s
,4 m
I 4 i j pump failure. By considering failure of the SFP with loss of all component i b'- cooling, the unavailabilities of the top event 2.4E- 2, and 1.00 corresponding to the impact vectors 4,11, and 16. respectively. A similar situation exists with respect to the secondary cooling function,
.t :
a l SC. The steam dump valves (SDVs) becomes unavailable upon loss of component cooling or when an SI signal is present because the air compressors are not Y '} cocied by the SCC (as previously discussed). The SDvs are also unavailable l
.. upon a loss of offsite power due to a loss of instrument air. In addition,
, during the above situations, the atmospheric relief valves (ARVs). only function for 2 hours due the capacity of their air accumulators. Therefore, 1
' for accident situations were there is a 1.0SP, SI signal or a loss in component cooling, the secondary cooling function becomes unavailable within two hours.
O' These considerations would render emergency feedwater unavailable for a
; considerable number of accident situations if only the 50Vs and ARVs were f
i!, ,. relied upon for secondary cooling as stated in the dicussion of the event trees in SSPSA Section 3.3. Paraphased from this discussion, ' failure of the 1 secondary cooling function results in loss of secondary heat removal'. The '- SSPSA has not considered the main steam relief. i l An inspection of the EFW pumps and the SFP characteristic indicates that they have sufficient capacity to lift all 5 safety valves on the main steam 4 lines. Considering that all five valves must fail to open on at least two of four main steam lines results in a very low unavailability for the secondary cooling function, considerably lower than the values used for the (, unavailability of the SDVs or the ARVs. However, by not considering the 3.4-72 l \
. . --. -;. . , , , m n . -, _,
.+ r oc .
y ..,- _ . ~-
.: s .
I safety valves in the analysis, several important accident senarios are
.m U
overlooked. The safety valves have a relatively large probability of failure 1 , V . to close once they have opened and when the SDvs and ARVs fail closed the
- safety valves would certainly open. Failure of the safety valves to close 4
a would necessitate a transfer to the steam line break outside containment event _t
?j tree for further consideration. The SSPSA has not considered these possible
{; accident scenarios in the analysis,
] i l
_j ' The additional requirement for flow to all four steam generators is only 1 , included in the loss of feedwater ATWS. This criteria is used for those
... t i +
situations in which the reactor power is greater than 80t of full power and i . f l the turbine fails to trip. Turnine trip failure will result in continued heat removal from the RCS following loss of feedwater which would limit the effects t of the negative moderator temperature coefficient. This situation requires i O more RCS heat removal for accident mitigation due to the additional heat generated from more equivalent full power seconds of reactor operation. II j qi Ig I
.'l 1 i i .
1
'1 .l} , ,
A
.1 :
eq !
- 3 1
/~
3.4-73
+ .
- l. .
l Taele 3.4.51 O Systas Configuration ans unavettaat11ttes for tne Emerpacy Feeemster System
. ,?
- SYSTEM ACCIDENT umAVAILA41LITY 00Mim4NT i CCNFIGu2Af!CN $1TUAflur. (means. per demand) CCNTR!aufat r f all suseert 6.76 6 SFP . maintenance
. .'. C3T + SFP (1) *EN (1) EFW . heresere
-e syst, e 1emsi.. -
,- III signal.
-l
.- loss of MFW
' .d. .] one 55P5 or 1.16 4 SFP . maintenance CST + SFP (1) *fFW (2) ESFA5 enannel EFW - herenam
} mavetlaele.
'.'J.
-l no meter.eriven
-{ .' I EFW imme
.S' *I CST + SFP (1) tota 53P5 or 1.50 - 2 SFP maintenance i"1 4 i unevattaale.
no EFW pumps
' ! CST . EFW (1) loss of 4.34 4 UW . herow re offsite power.
! no ifW trip.
I SIS avallaole
'l -
CST + EW (5) IIS signal availaole. no 5.87 3 ETW Mareware f turnine.eriven EFW pine A1W5 2.70 3 . piping heressere
. 4 EF9 (4) e (J') notes eu . matn resemater system ~
l'
.9 k
0
- s. ,
' 11
*E "l
*l t
.5 l
q) i I i
' .'.)
' . <l e
'h
+
.q .
';j
[,4 l l '. [- g
. *j e
! 3.4-74
( . . , . + , . . . . . . . . . . . . ~ . . .. . . . . /. . . . . . . . . . . . . . . . . ... i
e. t i e a
- faele 3.4.3 2
/)
'e .
(PCilGENCY FEIDsATER APPLICAT! Cat 73 C'itif 3EI TOP DEir
,) ,
E,et El* Aus. Tree As. systa= EFW Configuratton W a wa 61.
- er seane Tree
. acect 4 vector State (mean )
71 . 2.o .
".* a 0-4 less of EM CST + EFW(1) + :C(1) 4.34 4 ROCA
..' : less of all PCC sLOCA J* .i ' less of all SW $ sit Es imp
- TurSine Ir19
3 ATW5 TT I AT's5 $LOCA ;- t 'A (C57 + (W (1))
SFP(1) + K(1) 6.57 4 1,oss of W l C37 + ETW(1)
- K(2) 4.16 4 SL81 A 1 I SLno
.'3
- LQ$9 I
- A1WS LD$P
.i 1 CST + FFW(1) + [FW(6) + 3.32 4 ATW5 LOWW K(2) i .
less of one (C37 + EFW(1)) / 2 + 2.41 2 MLOCA
' 5175/E3FAS (CST + (FW(2) / 2 + SC(1) $LOCA enennel 3Gia less of all PCC Rn TRIP less of Si/LD5P Trustne Trip ATW5 TT
,- A11r5 SLOCA
( '.
- (C5T + EFV(1) / 2 + 2.43 2 SLs!
. (C3T + EFW(2) / 2
- K(2) 3L30 t
! ((CST + EFW(1)) / 2 + 3.41 - 4 Less of WW
; (C3T + EFW(2) / 2)*
,j- . SFP(1) + K(1) l l .'1
~
a.
. 1 i d...
O t f.d Ul ; Ql . S., . *. :f s3 1
~}'
k.-
.k . t 3.4-75 1
f .+ . . . . . . . . . .
, .. . + , . . . ,-,.m,p.;... 4. .-.. . ... .. . . , , . . . . _ . . . .._
t ~_ - . .6
(~\ TABLE 3.4.8 2 (CON'T)
. s . .. '
'e Ava. Tree Aua. thieve 11. Event
' .l Canftgeration per oemana Trw
.* Isaact system Vector State (mean) l CST + EFW(1) + SC(1) 6.16 4 LoS7 ATiss LOSP 1 2.69 2 ATW5 LaMFW
.] i (C5T (C5T + EFW(2))L/2
+ EFW( /2 + +
q , EFW(6) + 3C(2,l l l 12 16 Loss of botn 1.00 NLOCA
,I 5575/ESFA5 5LOCA
!j
- Less of all PCC SETR As Trip "s '
, Loss of SW/LOSP i Turnine Trip 5 ? 5LS!
i SLB0
.'4~i ATW5 LaMFW fJ . ATW5 5LOCA I, I ti . $FP(1) + 3C(1) 1.50 2 Loss of MFW f '-
CST + EFW(1) + 3C(2) 6.16 4 LOSP i ATW5 LOSP e I 17 28 LJ57 (C57 + EFW(1))/2 + 2.43 - 2 MLOCA 32 - 37 Loss of one (C57 + EFW(2))/2 + SLCCA AC bus SC(2) SETR Loss of one As irip PCC/5W train . Tureine Trfp
) Less of betft - "
Less of 'fD
} 55P5/ESFA5 5LSI caennels _ SL50 ATW5 TT Loss of one ATES SL3 A
.I OC. PCC. ATW5 LOSP 55P5/ESFA5 LO5P l'
} (CST + EFW(11)/2 + 2.69 - 2 ATW3 LaWW l; , (C5T
- EFW(21)/2 +
y... EFW(6) + SC(2) 29 - 28 same as above (C57 + ETW($))/2
- 5.03 1 SL30
.[}
35 - 37 0.5 + 3C(2) , si
.L S L
i i J
' 8 v:.
IT M a. t i
'I '
t : .- [; k' i
'$ 3,4-76
! 4 > 1 I l
- l. _. . -
, _. _ y ,_, 1 . - . . . - . . . . - . .. . - - . . . , - , . . . .
I
,i f . TABLE 3.4.5 2 (cca'T)
~1 Ana. Tree Ama. theve13. Event Isoect system Configuration per demead Tree vector State (seen) 28 30 Station CST + EN(2) 4.77 2 MLOCA
-) 81acaout Less of one
$LOCA
$6TR
' We ta Trip
.l4 h $3P5/E3FA5 Tureine Trip Loss of MFW t'l l SL8!
SLSQ
)
- ATWs TT i ATW5 SLOCA 14 ATW5 LOSP LOSP
).]
' CST
- En(2)
- EN(6) 5.04 - 2 ATW5 LaMFd Iv 4.77 same as aoove Csf
- ER(2) 2 m. COA
.'..i -
31 stoCA sain ej i Rs Trip f
'A '
Turotne Trip i
- Loss of WW 1 '
ATW3 TT ATW5 SLOCA ATWs L0sP LOSP CST + EFW(2)
- EFW(6) 5.04 - 2 ATW5 LaMFW
! ~' 1.00 SLSI
',' $LBQ i-3s Less of one C3T + EFW(2) 4.77 MLOCA l: D:. M: bus. SLOCA l, 53PS/t3FAS Ru Trip i furetne Trip
- ., { . Less of WW
~1 *.
D + SLSI
'l SLSO -N ATW3 SLOCA J.i Afhs TT C3 i Los? -M ,
4
- l 9 .
rq l'< IN m l'*, a* h 4
. .V l'
3.047 l
- - -. . .- , . .- . - - , . . . . . . . ~ . . - . - - . - - - - . . . - - - - - . . - ~
~ .
- k. '
TASLE 3.4.8 2 (CON'T)
;7,
- t Ass. Tree Ana. unavail. Event Configuration per semand Tree
.'3.' !asect vector Systa State (asen) 4, , -$ l 5.34 2 AfDs LaMFW
- C3T + EFW(2) + EFW(6)
(? '
- d Loss of all ((C37 . EFW(21)/2 + 2.43 - 2 %QCA
'd 29 . ao DC ((C37 . [FW(3))/2 */
SC(2) l 4.17 . ;f goCa
$ 39 40 Less of all CST + EFW(2) 3 IK
$LQCA
';*) ~
3.4.9 REACTOR COOLANT PRESSURE RELIEF SYSTEM _j 3.4.9-1 SYSTEM DESCRIPTION
.m
The reactor coolant pressure relief system is designed to provide primary j
1 . pressure relief and cooling for the reactor coolant systen (ItCS) through the
.j .
operation of power-operated relief valves (PORV) and safety valves. The l ,E l0 systen consists of 2 PORVs, each with an associated matter-operated block M valve, and 3 spring loaded safety valves. In the event of overpressure, the 9 PORVs and safety valves provide steam discharge to the pressurizer relief tank 4 where steam is condensed by mixing with water. The pressure setpoints for
\' +
.a '
automatic PORV and safety valve actuation are 2385 psig and 2485 ptig U/
*k M respectively. A nonnally open block valve is located upstream of each PORV lN .
and provides isolation for the PORY if excessive leakage develops. { O e.
- ;i U 3.4-78
,i
\ l - - - ~ . . . - . . . . . . . . . . . . _ _ _ _ .___.;.. . . . . , _ . . _ . . . . . . , _ _ _ _
_ . .m. . . . ._
~
_ . -.= i 3.4.9.2 SYSTEM ANALYSIS
.3 k
s
- l Five cases are analyzed with mean unavailabilities as follows.
.~. ;
..i 1
'j .
- Bleed and Feed : Two of two PORVs need to open on demand. Q = 1.05E-2
. 4 This is a hardware contribution. only. ?q ., ;3 . : ?
- Severs ATWS : One of two PORVs need to open on demand, and three of three if safety valves need to open on demand. 0 = 1.56E-3 Hardware contributes 65t, 4'
d cosanon cause 355 . 41
?
- Nominal ATWS : Three of tnree safety valves need to open on demand. 0=
9.85E-4 This is a hardware contribution only.
- ) . t 3
.q L
- Reseating After ATWS : Three of three safety valves and two of two PORVs or block MOVs need to resent on demand. Q = 5.86E-2 This is a hardware L contribution only.
If
- l
( ly
- Chemical Shutdown in ATWS : One of two PORVs neecs to open on denanc. 0=
. 5.72E-4 Comon cause contributes 931, hardware 71.
14 ..q: 3 33 A sixth case is also listed in SSPSA Table D.10-3 on page D.10-9 for enemical Te shutdown in ATWS with a single PORV availacle. The mean unavailability is fi ' 4.27E-3. However this case is not mentioned in the discussion of success
;b
'.}
criteria (Section 0.10.1.2), nor is a failure logic expression given for it
.! (Section 0.10.2.3). Its quantification is not discussed, and it does not
. appear in the results in Table 7.10-1 on page 7.10-3.
'k 3.4-79
, __ _ _ . . . ; .9- - ._ - . - - - - - - -- - - - =
4 l
- \
. Except for the inconsistency noted above, the analysis for the reactor n,
U coolant pressure relief system appea'rs to complete and *ccurate.
-l A
fj
~
3.4.10 ' Main Steam System
.'d I Sq'- 3.4.10.1 System Description
; l j .
'd .
3 l The main steam system provides for heat removal from the primary coolant M system. That portion of the main steam system analyzed in Me SSPSA consists
. ?:
q of the atmospheric relief valves (ARVs), condenser steam dump valves (SDVs), l' safety relief valves, main steam isolation valves (MSIVs), and the main turbine stop and control valves. r] l .- Each of the four air-operateo ARys, one on each main steam line, is d, i automatically controlled to regulate its associated steam generator's outlet
.;.j . header pressure. The total capacity of all the ARVs at their setpoint ;I pressure is 10% of the maximum steam flow. Eacn ARY is supp11ec air from the ?.i i
. .g instrument air system and is also equipped with an air accumulator. The SSPSA J.c
,h .
; failed to indicate that the accumulators contain enough air to allow for only wg
'h !* 2 hours of operation. The ARVs will fait closed on loss of air pressure. The
'3 ARVs can be controlled manually either at the valve or by adjusting tneir
;N;;5 j.i pressure setpoint on the controller in the control room given a supply of air.
m 14 ' ;i. During nomal operation, the 12 air-operated SDVs are controlled by the
, difference between primary T(ave) and a T(ref) signal (turbine first-stage C
- 1. ' pressure) to determine how many valves will open to dump s*eam to the l:s l
l ! 3.4-80 l 4 7 .- . . . . . . . . - . . - . . . . . . ..,..:...-- . . - - - -
.---e , - ~ . - --
condenser. For a large load reduction, either one-half or all the dump valves open and then are modulated closed as reactor power approaches turbine j power. During primary plant cooldown, the steam dump system is operated in a steam generator pressure control mode. The SDVs will fail closed on loss of
.i air pressure. The SDVs can be manually controlled. 'J
- t
?
) The 20 ' spring-loaded safety relief valves, five on each main steam line, are d
bi self actuated and automatically open at pressures from 1.185 to 1,255 psig. v. 3] The total capacity of the 20 valves exceeds 110% of the full load steam flow a at a pressure not exceeding 110% of the steam generator shell side pressure. Q
.d I4 3 .
The 4 MSIVs, one on each main steam line, are dsigned to close upon receipt of
-k an ESFAS signal in the event of a main steam line break or turbine trip failure. Th'ese valves can be operated manually from the main control board
(" and the remote shut down panel. - The electrohydraulic turbine control and stop valves control the steam flow to i y. the turbine during normal operation. During a sudden loss of generator loac, t
- 1. all stop and control valves close and all SDVs are opened.
S@3 J3 3.4.10.2 SYSTEM MODEL 1 U ' a , M The various components of the main steam system discussed above are analy:ec ] for the following functions listed below along with their failure criteria and boundary condittens:
'} .
.q ,
i l 3.4-81 1 J __ . _ _ . _ . . . . _ _ _ _ _ _ _ _ . . . . -. . .- .. - - _ . - - - - 9 T
, m . -- - ~
- 1) Secondary Cooling at least 3 of 4 ARVS fail to open on demand and
~
i
') at least 7 of 12 SOVs fail to open on demand, the secondary cooling function is analyzed for situations with offsite power available and for low of offsite power. 'd n .
i b.q 1
- 2) Main Steam Line . failure of tw or more MS!vs to close on
[] Isolation for demand. y] Line Breaks and
. Turbine Trip Failure 8
~
)
)
- 3) Main Steam Line the MS!V on the affected' steam line fails Isolation for an to close on demand and one of the open SDCs or STGR one of the remaining MSIVs fail to close on 5 'j demand.
.4 1 1 *
[ ?
- 4) Main Steam Safety one safety valve fails to lift in response Valve Operation
? to steam generator conditions; or given 7 for STGR lift, fails to reseat. ;e >
'y '2 i; 5) Main Steam Safety at least 3 of 5 safety valves on one or 3 Valve Operation more of the 4 main steam lines fail to open
%y for an ATWS on demand.
- 4 I
.l 6) Tur$1ne Trip One tur$1ne stop valve and one turbine centrol ~1
(, , valve fail to close on demand. 3.4-82
' ' ~ ~ ' ~ ~ ~ ~ *
., . . . _ _ - , - ~,.,~ -..--- .----..:~~-- - - ~ ~ . ~ ~ ~ " - -
i l, There are no reliability block diagrams given in- the section on main steam
] <
analysis (0.11) except for the analysis of the 50V control system. The
- q logical expressions are presumed to be developed directly from the above given i
boundary conditions and fa11urs criteria. The unit was considered to be at
- j
'.J ; normal power prior to an initiating event and the analysis assumed that the
? i
'f appropriate external actuation or control signals are present.
,1 ,
d 4 The logical expressions accuately reflect the systems configuration and 31
- ij operational mode based on the boundary conditions and assumption used in the 3 analysis. There were, however, discrepencies in their presentation of the y analysis. These discrepencies are discussed below. The unavailabilities calculated in the SSPSA are given in Table 3.4.10-1. Also given in this table c
(3 are the unavailabiitties calculated using the mean values of the data given in i the SSpSA (Table D.11-3) and their logical expressions for comparison. 1 :
? +
A t H i... t-. i t.' - l :k.. ,I i. .:g
< I.
P 1
- 2 '
k
.] i 3.- ,
q
'{ .
1 r, J 3.4-83 1
?
. . . = - - . . . . -.
.- . , _ . __ ~,,. . _ , _ , ... r .-,.- .-.r .
, < ~ :: - >
-l .
I.e . l-I n Tacl e 3.4.10-1
- s. ./ Main Steam Unavailabilities (failure on demand) s' } .
j FUNCTION FAILURE UNAVAILABILITY 1 CAUSE SSPSA USING MEAN
.s (TABLE 0.11-4) FAILURE DATA . .: (TABLE D.11-3)
Lil y . s> .wconaary ' 1, Cooling
-).
- a. Offsite Hardware 3. 61 -1 0 9.56-11
?
- Power Consnon Cause 5.63-8 5.53-8
.j . Available Total 5.65-8 5.53-8 ;? .d b. Loss of Hardware 1.16-6 3.11-7 't.! Offsite Cossnon Cause 1 . 81 -4 1.81 -4 Power Total 1.82-4 1.81 4
- 2) MSIV Hardware 2.54-5 1.39-5 i Isolation Consnon Cause 6.44-5 6.43-5 for Steam Total 8.98-5 7.82-5 Line Break ~
,. and Turbine '
l) . Trip
., 3). Steam Hardware 8.16-6 8.14-6 t
1 : Generator Cosmon Cause - - i i Isolation Total 8.16-6 8.14-6 'g for SGTR
, s (steam relief)
; 4) Safety Valve Hardware 9.28-3 9.27-3
%n i : Action for Consnon Cause -- - L',7 , SGTR Total 9.28-3 9.27-3 % ; (steam relief)
- 3. i i;} .j.; 5) Safety Valve Hardware 2. 01 -1 2. 91 -1 Action for Common Cause - --
d : SGTR Total 2.01 -1 2. 91 -1 } { (water relief) Z 6) Safety Valve Hardware 4.72-8 1 . 41 9 'l} Action for Consnon Cause - - lf ATWS Total 4.72-8 1 .41 - 9 L:!
.; 7) Turcine Trip Hardware 4.49-6 4.35-6 1 '
Cormon Cause - -
~. Total 4.49-6 4.35-6 i
- b. MoiE: Exponential notation is in accreviated fo nn.
e j 3.4-84 4 j _ ... _ . . . _ _ . . . . . . . . . . . - - - l ' 4_ . . - . . . . . , , . ....-...-...--..~:--.m--r--m~~
~ ~ - '~~
I.
I
.v. , .
i
. 1 i
g ; Inspection of Table 3.4.10-1 indicates fairly good agreement between their
~
DPD2 calculations and our hand calculation using mean values. However, their . i
? -
calculations for the Safety Valve Actuation for the ATWS event, produced a
.z -
a value tnat is 30 times our value. This result would tend to indicate that the i .J ; safety valve failure distribution they used was skewed to the higher failure A *
.] } probabilities or they made an error in recording their result.
J.! I u ;
~
.., ' . , , The equations given on SSPSA Page 0.11-16 in Section D.11.3.1.5, Total 1 i Secondary Cooling Function Failure, are incorrect. The consideration of the
; l
,)
, ARVs was previously accounted for in the expression given in Section
,. D .11. 3.1.1. These equations should be Osc (1) = (Qarv-h + Qary-cc) (Osdv) and Qsc (2) = (Qary-h + Qary-cc). The unava11 abilities for tais event, however, are dominated by conunon cause and the use of these equations as given does not (m! significantly affect the results. c: ,
} Tne quantification of the Steam Generator Isolation for an SGTR event d considers only 3 SDvs failing to close on demand along witn the failure of the
.4] '. 11 j MSIVs. It is not clear why only 3 valves were assumed open. Upon a turbine .31 ; ',j ' trip or loss of load at full power, from 6 to 12 valves will open to dump
- 1
] ! steam to tne condenser. For total steam line isolation all the open SDVs Ji i K. I would have to close on demand. For the case with 6 valves open, the r
p
'.I. ! unavilability would be 9.36E-6, for 12 valves,1.18E-5. Tnese values snoula be compared to 8.14E-6 which was . calculated from the seen unava11 abilities ,A l given in the SSPSA.
p, k g i. q 3.4-85 d* a,- *~ e .me e. .m o em w - ee -ow smeWM *M W .E9,W.*f - -- -_ J S
- . ._ __. ._.__._.~1__1__
, .g} 4 * * . ' [e
_ ~ For the Turbine Trip Event, the values give in SSPSA Section 0.11.3.6.1 for i
) Qtsv-h and Qtev-n do not match Table 0.11-3 entries. These values were q derived from the equation given in Section 0.11.2.6 and are equivalent to 16 cutsets of the fom (TSV) (jTCVk)**0.5, where j,k =1,2,3,4 j ,
Comon Cause failures were considered only for the Secondary Cooling and MSIY fi ! - 0
; Isolation for Steam Line Breaks and Turbine Trip events. The Secondary
- l Cooling event considered the consion cause failure of the ARVs to open 'on .
O , demand. For the MSIV Isolation event, comon cause failure of the MSIVs to e; : 1 L;i chse was considered. For the. remainder of the events, comon cause failures i d 1 were not considered to be a contributor to the their unabilabilities. i Human actions were considered in the event tree top events associated with Secondary Coo. ling, Turbine Trip and SGTR ! solation. For the remaining events, J human action was not considered to have a significant contribution to their
-1 1
unavailanilities. Test, inspection and maintenance are not quantified for the lJ main steam functions analyzed because the system is required to support 4., ongoing plant operation. i @II ,j l Hardware failure dur1r:g long term secondary cooling for plant stabilization or a l l}1 1 cooling could be overridder, by operator action. Therefore, long tem hardware
.? j failure of the secondary cooling function was not analyzed.
!.1 p)s [.* 13
-( *
( . 1 R - w l l 3.4-86 i . . . . _ . _ - ___.._.. . .. .- m--- - - - -
. .- --- -m-
- e. ' 2=
]
4 i
. s 1
3.4.10.3 COMMENTS I
?
-)
<j In general, the logical expressions presented in the analysis of the main
~j q steam system are accurate, valid and complete. There were discrepencies as j noted above. There is one concern about the secondary cooling function.
j
#.I !
- -i d As indicated in the section on instrument air, a loss of offsite power or a i I
)j : safety injection signal will isolate the secondary cooling system from the J -
service water system and result in loss of instrument air. With a loss of
~1
.ti instrument air, the SDVs will fail closed and the ARVs will only operate for 2
.i
! hours. Therefore, the analysis given for the secondary cooling function, I
l which includes only SDVs and ARVs, will only be valid for two hours. After this time, seondary cooling would have to rely on the opening of the safety
,, valves for steam relief. No analysis was performed for utilizing the safety V
valves during secondary cooling. - t
-q ~
g The SSPSA indicated that failures in long term secondary cooling could be 7[. overricden by the operator and, therefore, were not considered. After two R:. , hours of ARV relief, the only way to restore secondary cooling would De to r.4 Iif supply instrument air or manually operate the ARVs. Restarting the instrument q fj - air compressors was not considered in the analysis of the instrument air u
] {
e system.
- r k
4 The secondary cooling function is used in the event tree top event EF, emergency feedwater and steam relief. The effects of the above discussion on this event are discussed in the. section on emergency feedwater.
] .
; (J .
t 3.4-87
. ~.
E l
.[2 3.4.11 CONTAINMENT BUILDING SPRAY SYSTEM O
..j 3.4.11.1 SYSTEM DESCRIPTION 1 i
}
} ! The containment building spray system ('CBS) is designed to maintain the containment building pressure and temperature within design limits in the event of a main steam line break or LOCA. The CBS system consists of two j redundant trains, each having a centrifugal pump, a heat exchanger to the 1
.j primary component coc11ng system, and two spray headers. A spray additive
'l 1 I
tank (SAT) is shared by both trains.
- J s
l The CBS system is nonnally in standby. During injection phase it is
't automatically actuated by a P signal, and the pumps take suction from the refueling water storage tank (RWST). Borated water from the RWST is mixed O
with soditan hydroxide solution from the SAT, and pumped through the containment spray heat exchangers to the spray nozzles discharging into the [' . containment. The recirculation phase.is automatically initiated when a low! low level in the RWST and an S signal are detected. The pumps then take f.a i ,s, i suction from the recirculation sump. I l a. li 3 3.a.11.2 SYSTEM ANALYSIS E.
- The injection and recirculation modes are q'4antified separately for the three iij , boundary conditions of : (1) all support systems availasle; (2) loss of one 3
- automatic start signal, or one electrical power bus, or one suction path; (3)
]
loss of one PCC train. The mission time for success is I hour for the i ,b injection phase and I week for the recirculation phase. It is assumed that if { 3.4-88
;----.._..-.,- , , - - - - - - - ~ , - - - - - - - ~-~ ~~ ~ ~ ' ' ~ ~ ~ '~
~ ~ ~ ~ ~
- c. .. -c . . .
- s - - .--
the test lines wre failed open, the loss of the driving head to the train h would be sufficient to cause failure due to inadequate spray distribution at
.$ the nozzle spray ring headers. Another assumption is that failure of MOH addition will not cause system failure. The results SSpSA follow, i
/
- Injection Cases a ~
i CSS-CA/C3(1) = 7.25E-4 Common cause contributes 82%, hardware 14%, and 1 maintenance 43.
]
a 3 j CBS-CA/CB(2) = 1.02E-2 Hardware contributes 833, maintenance 175 . Of the j hardware contribution, 51 comes from a failure to open and remain open of the normally closed MOVs between the heat exchangers and the spray headers, and
., 39: comes from the failure to start and run of the CSS pumps. -
CSS-CA/CB(3) = CBS-CA/C8(1) = 7.25E-4 This case is identical to case 1 i
~ because of the assumption that loss of PCC water flow to the CSS pump seal
- d.1 .
$ coolers or to the CSS heat exchangers causes pump failure or containment 41 .h cooling failure, respectively, only during the recirculation phase.
rk 8
'M ] l
- Recirculation Cases JJ
- .'J")i
l
. CBS-XA/XB(1) = 2.27E-4 Comon cause contributes 56t, haroware 44%.
21 +4 l , .: ~ 2 This result is lower than the injection case by about a factor of 3 because various componer's have already changed state and only need to continue to l , function for the mission time. 3.4-89 l
.,,en-o.e.++ e...,* e****-a -**a*** ~ ~ ' ~
f+ a.eeef . 7,* i
. ..~ . . - . . . . . . ...
- u. . .
; f,() CBS-XA/XB(2) = 6.39E-3 This is a hardware contribution only.
t : I
?.? i i
1 CBS-XA/XB(3) = 6.39E-3 This is identical to the previous case.
- J ,
i 7 j
- Additional Recirculation Cases y j Four additional recirculation cases were quantified although no system failure a !
'l equations are given for- them in Section D.12.2.3 . The first two, X3/X4, are j quantified for boundary conditions 1 and 2/3. They require the operators to -
start the CBS system manually and operate it for 1 week. The results for 5 these cases are similar to those for the injection cases, only slightly higher because the mission time is 1 week .instead of i hour.
,. CSS-X3/X4(1) = 7.43E-4 Comon cause contributes 73%, hardware 23., and t
,a j maintenance 4%. 1
-j . .; , .
C35-X3/X4(2&3) = 1.15E-2 Hardware contributes B5t, maintenance 15t. t m 3 t, ! s1 .
+,j -
The next two cases, XC/XD, are again quantified for boundary conditions 1 and s]' 1j ! 2/3. These cases require that a CBS train and its associated heat exchanger
.s i train operate for 1 week in the recirculation mode. These cases appear to be e
'{ the same as the first recirculation cases (XA/XB.) with the addition of blocks
.. n
% . VA and VB representing the heat exchanger trains. !?' ; i 4 c.l < f
%)
5 i j 3.4-90 D
... e - en een -- .e==m** *
, qgo e es ** r.e p y ea yg p py sp he m # * '* #
m
-d,
- _, , es e .J, A e = + = **
t t 1 l CBS-XC/XD(1) = 4.98E-4 comen cause contributes 62%, hardware 38t.
. !O i l CBS.-XC/XD(213) = 1.08E-2 This is a hardware contribution only.
d 3.4.11.3 CDMMENTS ti
- .] ..
1 We have several minor points concerning the CSS system analysis. In ' .- i hI particular, systen failure equations should have been given for the additional [ recirculation cases. 4, '
= t
! There is an apparent error in the quantification of check valve failure for
, -?
blocks SA/SB and PA'/PS' (Section D.12.3.1.1 on pages 0.12-10 and 0.12-11).
; using a failure rate of 5.36E-7 per hour from Table D.12-6 times the mission i '
ps , interval of 168 hours gives an unavailability of 9.00E-5, compared to the listed result of 1.76E-6 for block SA/58. Again for block PA'/PB'. the check
..{! i valve unavailability should be given by failure to open on demand plus failure
.?
a to remain open : 2.69E-4 + (5.36E-7
- 168) = 3.59E-4 All recirculation h '
cases are affected, however the effect is small (approximately a few percent). 4
- -
- -1 Li -
0 ~ j[l Another apparent error was found in the evaluation of recirculation case
'.- it !
;j X3/X4(2A3) (Section 0.12.3.4 on page 0.12-16). In the unavailability equation, ,
- s jj j the two terms representing the MOVs shoulo contain. a "+" operator rather than k- the "x" operator.as shown. However these terms do not significantly d-g k i
contribute to the total, so the effect of incorrect evaluation of the equation
~! is minor.
1; i j . . C. 3.4-91 9
, _ . - _ . - . . . _ . _ . ~ . . . _
q -,,,. . m ,
- ~ . - . - - - - - - . - - - - . . - -
i, . t
; I 8
j l On the CBS system simplified P&ID (Figure D.12-1 on page D.12-34 and Figure l, 'q
.1 t >
._ / 7.12-1 on page 7.12-4) the spray additive tant is missing. Even though the j SAT was excluded from the analysis, it is still part of the system and should j} ; appear on the drawing.
i
- s l
In conclusion, no serious problems were found in the CBS system analysis. n Therefore, we believe the analysis to be complete, valid, and accurate. 2'
? '
bl 3.4.12 CONTAIMENT ISOLATION SYSTEM
~
t q ! 3.4.12.1 SYSTEM DESCRIPTION
- 1 -
The containment isolation system (CIS) is designed to prevent radioactive rel' ease to the atmosphere in the event of ari accident. This system isolates-b4 4 all containment penetrations that are not required for operation of tne
- .; .! emergency safeguard features '(ESF) systems.
)g j The CIS provides double barrier protection for all lines that penetrate the containment. A barrier consists of a valve, a closed system or a diapnram, L j depending on the location and application. j s- 4 j t L. w e Them are two types of containment penetrations. Type I penetrations are part ( I of the reactor coolant pressure boundary or connect directly to the
.T
gg i containment atmosphere and penetrate the containment. These penetrations are b .c provided with two valves as isolation barriers, one located inside the
,: containment and one located outside. Lines that penetrate the containmnent
,l - (_. but are neither part of the reactor coolant pressure boundary or connect to
- I '
t 3.4-92 I
.s . _ . - . . . _ . - . . - . - - . . - - - . . . . - - -
' l. , . , _ _ . . - _ - . . -m - - * - - '~ -" " " ' "
,. 7 -- -. e r*
- f'""
^~
, ,~ -~
the containment atmosphere are Type II penetrations. These penetrations are l 5J-provided with a single valve located outside containment as one of the two
. isolation barriers. The second isolation barrier is the bouncary of these closed system.
4
) Most containment isolation valves are manual valves normally in a closed 1- !. l position. However, systems that provide needed functions during normal plant .j' !
operation are provided with either automatic air-operated valves (A0V), u A solenoid-operated valves (SOY) or motor-operated valves (MOV) that respond to i 4 containment isolation signal. i I
; i During accident situations, the automatic isolation valves close in response to one of two containment isolation signals. The first of these signals is j the T signal, that occurs in conjunction with an S' I signal or high containment-i l j pressure. , The T signal trips a majority of the automatic isolation valves on i
t I nonessentional process lines. This is defined as " Phase A" containment I t isolation. The second signal, " Phase B" isolation, is tne P signal that [,; . occurs in response to high 3 containment pressure and/or containment spray q: I system actuation. The P signal trips the remainder of the automatic isolation j valves. j 3.4.12.2 SYSTEM MODEL i g
] i The failure criteria used for the CIS model was failure to isolate any one of
{ the containment penetration considered in the analysis. Failure occurs when l' V 3.4-93
- , . _ . . "~~ ' ' ' ~ ~ ' ~ ~
r .: - :-- -
l
, .. - ~
4 f j both of the isolation barriers do not function properly. The SSPSA reviewed the containment penetrations and eliminated many penetrations from
; consideration using the following criteria:
- 1) penetrations which are not used during normal operation and are N
ij isolated by normally closed or locked closed manual isolation valves J l and/or check valves; and
- l l< l}
-I I -
- 2) high pressure closed systems that will retain radioactivity.
J
.i ?
? -
; As a result of their review, the following nine containment penetrations were considered in the CIS analysis:
} 1) Containment online purge system - valves COP-V1 and COP-V2,
- b. ,
- 2) Containment online purge system - valves COP-V3 and COP-V4,
'j l d
llf , 3) Equipment ventilation system - valves VG-FV-1661 and VG-FV-1712, ij : I
.3 4) Floor and equipment drain system - valves WLD-V41 and WLD-V42
-.l i
, 5) Floor and equipment drain system - valves WLD-VS1, WLD-V82 and WLD-g FV-1403,
- 6) Reactor make-up water system - valves RMW-V25. RMW-V29 AND RMW-V30, l_. 7) Nitrogen gas system - valves FV-4609 anc FV-4610, 3.4-94 s
, ,, , , . . som , e e *e .- *' *
,,s y .t%*8F'*j'6' % ** ,"{ -
..e- r y e e g - --
i
._ -- ^
8) Steam generator blowdown system - one pair of the following valves: i SBl and 58-9, SB-3 and 58-10, 58-5 and 58-11, 58-7 and 58-12, 9
- 9) Chemical and volume control system, valves CS-V167 and CS-V168.
i - N 1 i 8
' Leakage through penetrations was not considered in the CIS analysis. The
{
-{
analysis also did not consider isolation valve failure due to containment environmental conditions existing during an accident and failures of the piping between isolation valves inside and outside of containment. a I a No credit is taken for operator recovery actions to manually close failed !f valves. Manual actions sere consisdered on a case by case basis. Test, inspection and maintenance were not considered to have a significant inpact on I Lc {y - the system unavailability. Operator error was not quantified for this
~
i
- analysis.
i -
'3
-t ,
T.
',9 Common cause failure was considered for the two motor operated valves on tne i 'l. j
4 : reactor coolant pump seal return line, CS-V167 and CS-V168. A beta factor of 0.0423 was used to quantify their comon cause failure to close in response to l a containment isolation signal. No other comon cause failures were
} I l _ consioered in the analysis, l;
\~ The analysis of the CIS was p. .ormed for the 6 conditions listed below:
- 1) Botn Train A and Train B Containment Isolation Signals Present L.-
3.4-95
----c e-7.
- - ~., - -
w r '~="
. ~ , _ _ . _ _ . _ _ _ _ . . - -~ _ -
- 2) Only Train A Containment Isolation Signal Available No Loss of Offsite Power J.
- f,
- 3) Only Train B Containment Isolation Signal Available, No Loss of ij Offsite Power M
- j
!]
.{ , ! 4) Only Train A Containment Isolation Signal Available . Loss of Offsite tj Power d
S) Only Train B Containment Isolation Signal Available Loss of Offsite
.. Power 1
1 l -
- 6) No Containment Isolation Signal Available.
( ~~ Condition 6 is also applicable to no AC power, no DC power or comoinations of failures .that result in failure to operate redundant MOVs or SOVs.
;y
.1 ij ;
Tne results of the SSPSA analysis for the 6 conditions given aoove are shown A (j ' in Taele 3.4.12-1. In our review of tneir quantification, we recalculatec the
;; r dj ; system unavailabilities using the mean data given in SSPM Taole 0.13-5 and 3
i their failure expressions. Our calculated values are also given in Table da , fl 3.4.12-1. d x u a E3 3.4.12.3 C0r.ENTS D
-j 1
j The analysis performed for the containment isolation system is valid, accuate 1 ']. and complete, i 3.4'-96
'i
~ s' _. . . . - - - _ . . . . - . . . . . - . ~
%. -,..g e.g we , -.w .m. .. , g
- o% =4 e $ ****2 . - .
, - . 7 'fe"D ****, -.r. * * . * * **W-- "* -"V.' ~* ' ' ' ~
- 3
.s
.3 Table 3.4.12 1 1 Containment' isolation System
; Unavailabilities
- I CONDITION h
.J '4 i . FAILURE CAUSE UNAVAILABILITY (mean, per demand) SSpSA d a OUR. VALUE ESTIMATE 9 !
- 6, l 1) All Signals present Hardware 1.17 - 4 8.38 - 5 1 1
+
Consnon Cau'se ' 1.82 _ 4 1.82 - 4
.! Total 2.99 - 4 2.66 - 4 3 ,
- 2) Loss of Train 8 Hardware 1.08 2 1.08 - 2 l signal, offsite Total 1.08 - 2
; power available
- 3) Loss of Train A Hardware 1.05 _ 2 1.05 - 2 signal, offsite Total -
1.05 2 power available
, ['
- 4) Loss of Train B Hardware 9.16 3 -
9.16 3 signal, loss o' Total 9.16 - 3 offsite power
.i .
A 5) Loss of Train A Hardware 9.16 3 9.16 - 3 signal, loss of Total 9.16 3 Qj offsite power j 6) No containment Hardware 1.00 -_
"1 ,
isolation signal Total 1.00 ___
.h ,
9q
- l.-
;.3 1 *I A
r3 '
.4
?.f
~
3.4-97 t
', i . . . _ . .= . . . . . . . - - - - --* *~ '
,.,,,,ne_ M-.q*H**'***** -
84r"*, ' ' ~
f
-l 3.4.13 CONTROL ROOM COMPLEX HEATING. VENTILATION. AND AIR CONDITIONING .1 3.4.13.1 SYSTEM DESCRIPTION- ,q The function of the control room HVAC system is tc maintain the control room j
temperature between 70 and 75 Deg.F. and to retain airborne particulates and a q g radioactive fodine during accident conditions (S signal ) . The system I D.*l consists of two redundant trains, each having a makeup air fan supplying the J) ;
.] ', common emergency cleanup filter, an emergency cleanup fan, and an air
,,) L} conditioning unit with. condenser f an, compressor, and evaporator fan. There-j, is also an exhaust fan, two air intakes, and numerous campers. The energency
^
cleanup fans dischar.ge filtered air into the control building mechanica'i room with no S signal present, and supply the discharge of the evaporator fans on an S signal. The evaporator fans of the air conditioning units supply the ( control room. One train is normally operating while the other stands by. E V 3.4.13-2 SYSTEM ANA!.YSIS
- x !
,J i Four boundary conditions are quantified. An important addition to tne
- y.a jj , analysis is the modeling of operator action needed to restore cooling for loss
- r 't It is assumed that the operator can
$ of offsite power or instrunent air cases.
w ," provide adequate alternate ventilation by opening cabinet doors and using 1; 37 portable fans if AC power is available. Then system unavailability is the sum
-b *j of the unavailabilities du'e to hardware, maintenance, and common cause, times a 'I the probability of operator failure. The operator failure probability is 1 *}
o quantified as 2.68E-6 . h a .- 9] , !p; - 3.4-98 i
.p , p emp - eg . w.**- ,*,9
- , i, > pq . - DM" # ***** '
- Boundary Condition IA: No S signal is required, and offsite power is
! i$ available.
4
?-
j CRV-1A = 1.20E-10 Of the automatic system failure, hardware contributes 87%,
-t
;a maintenance 131, for a total of 4.47E-5.
i.y.j 3 ,
'i
- i Boundary Condition 18: No S signal is required, loss of offsite power or h _.
loss of instrument air. ..
$j i CRV-1B = 2.68E-6 Since operator action is ' required to open discharge
- .+
i dampers and this action is not quantified (unavailability of 1.0) the
-] automatic hardware failure probability is 1.0 . The total system 4
unavailability then equals the probability of operator error in establishing alternate ventilation. l
- Boundary Condition 2A: An S signal is required.
t.* \ l' . p; CRV-2A = 1.48E-4 Consnon cause contributes 80%, hardware 181, and maintenance L{ r j ' 1%. Only the unavailability of the emergency cleanup function is quantified a U here.
}. .
4
;};
- Boundary Condition 29: An 5 signal is required and loss of one electric
' :,d.; power bus. $qb
$ CRV-2B = 2.08E-3 Maintenance contributes 531, hardware 47%. Again only the
] unavailability of the emergency cleanup function is quantified.
.I
]
- j 3.4-99 4
. . . . . . . . .... - .-.. .- .4 - ~ ~
~mn e - . ._ _.s-n*~awme m , _ - . , , , m,*"' "**~*~****"9"' ~* ' * , ' ' * " " ~ ~ -' ' , '
i ,-_y
*,.A
.os
. .u.
3.4.13.3 COMMENTS Two types of operator actions are identified: (1) manually starting the standby ventilation train or opening discharge dampers; and (2) establishing
}.
alternate ventilation with portable fans when both trains are unavailable. '
}
23 Only the second operator action is quantified, while the failure probability 2 (l of the first is arbitrarily set to zero for boundary conditions 1A, 2A, and gi
- " 23, and set to 1.0 for boundary condition 18. This treatment is inconsistent.
[i
- -)
For example in case 13, it is assumed the operator fails to restart normal ventilation after a loss of offsite power, but the failure probability of the
~
operator providing a1 ternate ventilation is quantified. In case IA, the failure probacility of the operator to start the backup train should the operating train fail is not quantified (effectively zero), while alternate O"' ventilation failure is again included. Case 1A is inconsistent with Case
- 13. The other systems analyzed in the SSPSA did not quantify operator actions i to recover failed equipment. However, these systems had automatic' starting f > <
1 capability for their backup trains. Since the backup train in the control
- a.
roam HVAC system does not start automatically, no credit should be taken for }} ; i (h it unless the needed operator actions are also quantified. Were this done, !?{ 's the unavailability for cases IA, 2A, and 2B would increase, while the case 13
.J ;
lij result would decrease. '$1 i3. *
- Tnis SSPSA analysis provided results sufficiently low so that the frequency of 3 control room HVAC system failure was not considered to have a significant
~
effect on plant or operator response. Therefore, this system does not appear I (f , in any further analysis. 3.4-100 l' j . . . . . . _ _ _ . . . . -. .... , 7,,,,.-_. .. .
~
< , . . ~ m v..
.l .
*e -
h . j .
- Correcting the treatment of operator failure quantification is not likely to
()
;4 -, change this conclusion.
l1 . a . 1* W 9 >Y g
- sl
- t. y ah
@1 s.te 4 ce
- IJ
.g b.
t
,6 p .
9)a w.!
~
t t..- rP
.h l
'l, -
?.) x'fr l ' .;J
'y 9.t j .a s -T4 1
- p .
s
- m. ,
r_ ;,
~s ,
A- {
>.1 ll c'
3,' ' ed
. N
( I 1 3.4-101 N'" tmM mee e ese ee eat, e emute mim me . e um g I *" *ON9%# M h @ -_T_,, , ^g g g$- gN,y 993 Jg'."$M QW=g p gg.apg g ,# _ %T Qg. 6
*U
,,-e'%",*
' w v M v!$ 21-4W&"W-V 'TVm q'-- gr m y s \=nm*==+=v *w q w9--w-v,*
.~ . - . .. ..~ . .
~
t 4.3 AIRCRAFT CRASH ANALYSIS
.J s
O - J Air traffic due to several airports and landing facilities near the Seabrook
'J - site is analyzed in the SSPSA. Included are the nearty Hamptem Airport, the .Ji 4 1dheelabrator-Frye corporate helipad, the Plum Island Airport, the Pleasant
- ) . -
View Airport, and Pease Air Force Base, as well as two major airports within
]
h 50 miles of the site, Grenier Field (Manchester NH) and Logan Airport "J (Boston). Also included are federal airways and direct aircraft routings near
,-f the site. These air traffic sources are analyzed to determine the annual h number of operation's of each type of aircraft to or from each airport or along G
.y each airway.
.] 1 Using statistics for approximately a 10-yr period, inflight crash rates per aircraft mile flowt were calculated for U.S. air carriers (1.51E-9 mean), and for U.S. general aviation aircraft (single engine mean 2.28E-7, multiple .
~
- - engine mean 7.23E-8). Crash rates per hour for the applicable military
., aircraft were calculated with means ranging from 2E-5 to 3E-6 for various a
g . types. A ta The frequencies of aircraft crashes into different structures of the plant are a b then calculated through the summation, over all types of aircraft and nearty
.}
'..{ flight paths, of the products of the number of operations of aircraft, tne 3 ,
crash rates, the distances traveled by the aircraft while the plant site is B)8 it within its potential impact area, and the probabilities of hitting a M l1 iQ particular structure given that the aircraft accidents are near the site. l' t 4 i I 4.3-1 1 .- .- .
. -, . ., g . - . _. , 97-,-- - -- -
- - --~ --
+
I i E i
; { The targets considered for aircraft crash incluoe the containment building,
-4
() the primary auxiliary building, the control building, the diesel generator
] building, the tank farm, the service water pumphouse, and the fuel storage 3
3 building. A structure fragility analysis concluded that the containment is j ' vulnerable only to aircraft weighing more than. the 81,800 pounds of the FB-N} ; 111A military aircraft, and the other critical structures can withstand the 9 i
.h impact of general aviation aircraft up to 12,500 pounds. Therefore general 9 1 d' '
aviation . aircraft can damage only unprotected safety related equipment which M*1 the RWST. It is concluded that any accident scenario resulting from the crash
'j-j.3 of a general aviation aircraft could not cause core melt. - !d. '
3 d A crash of a larSe aircraft on the containment is assumed to cause a large LOCA and is quantified in the plant model with a mean impact frequency of
/
., 1.21E-8 per year., A crash into the control building would cause core melt and e 1s quantified with a mean impact frequency of 1.39E-7 per yeae. A crash into the primary auxiliary building causes core melt due to loss of primary
'T c
component cooling, and is quantified with a sean impact frequency of 2.00E-7 per year. Loss of the service water system is not quantified because of the f.] : cooling tower backup. Loss of the diesel generators is not quantified because bi ; d E' , a loss of offsite power is also needed for core melt. W :
- V +
h.'$ In surinary, the SSPSA presents a complete and thorough analysis of potential e H
; aircraft crashes, and their conclusions appear to be reasonable.
4 : M, l' . 1
- i i
.! 4.3-2
'1 e 1
. , g nn. #W - - - - " - - ' ~ ~ ~ ~ ~ ~ ~ ~ ~ ' ~ ~ ~ ~ ' ~
-~- m r - - a. : - --nm s
? m x
=, -~
^
t W 3.5 HUMAN FACTORS V' 'f.i
; The SSPSA evaluated a number of operator actions required for plant safety j under various conditions. The analysis tecnnique used was operator action pTI trees (OATS). This section presents the results of our review of this .l' El i analysis from the standpoint of technique and application.
ed j 3.5.1 General Comments on :ne Human Factors Analysis Y t l O f The OAT technique was used to represent the various human actions evaluated. w ' Altnougn we have a number of specific corrinents wnich are discussed in the following section, in general, the trees developed were reasonable-a - representations of those actions. One important exception exists in the area 9 , i i ^ of cognitive error analysis (the diagnostic / decision makiiig phase of operator m .
.J. . ; response, as opposed to the procedural / performance phase which was generally j handled appropriately). The analysis did not properly account for operator confusion resulting in his taking totally inappropriate action. Although the tj l $ , study discusses this aspect of operator action, and provides an operator
_s , % ; confusion matrix for the operator believing that the plant is experiencing a .~ .: . particular initiator when it is not, the analysis is not carried to its
'/i 3:)
. logical conclusion. In most cases, the SSPSA analysis treats the operator d 1
- f. : misdiagnosis only when he is required to take a specific action in a given i
Q I situation and fails to recognize it. This is an " error of omission" by the g? . operator: 1.e., he fails to take an action wnen one is required. The SSpSA
- p .
does not, however, treat the case of misdiagnosis causing the operator to take 9.{
."3 t an action when none is called for; i.e., an " error of comission". For Q exa:gle, tne SSPSA treats operator misdiagnosis during a transient wnere there
- 1 M 3 5-1 u
;a 3_ _., _ -, m. . . m. __.._._,,,.__m. _ _ _ . . - . . _ . _ _ . - . . ,, ~ . - , - . . . ,
. -.s.
. e .
i j- l s
]
', { ,3 is a potential for pressuri:ed thermal shock (PTS). In this case, tne I i
;'$ operator misdiagnosis implies that he believes the transient to be progressing i on a normal course, with proper turbine trip, and he fails to take action to l
l '. prevent PTS. However, tne SSPSA does not treat operator misdiagnosis during a l 9
# . small LOCA where the operator believes that it is only a transient caused by d ! ;j, l an inadvertant safety injection signal and he terminates- high pressure injection when the correct action would have been to do nothing. This type of f.h! ;
operator error should have been included in the analysis, and specific H} If instances where it applies are discussed in the next section. n , 3 : ir :
. Anotner general proolem appears in the area of tne time available to take
- various actions. In many cases, the time frames utilized are not justified by
;l either analysis or reference to other PRAs. While tnis does not have any p effect on the structure of the OATS, it will affect their quantification since
'J
.j :
diagnosis is a function of time available to the operator. Specific problems
- in this area are discussed in the next section.
.< ?
d j] . The final general proolem pertains specifically to the quantification of the
$ OATS. The SSPSA does not make clear how the trees were quantified, especially 4
c, . $G ~ with respect to tne values used for each branch on the trees. A data base is
. ,( : included by reference, but there is insufficient information to determine 3 !
precisely what values were used in specific situations and how they may have c .e [Sa been modified. Thus, the results of the OAT analysis are not easily { g , reproducible, which leads to some doubt about the validity of the SSPSA r.a , ']j results. The individual values used for each branch of the tree shoul1 have ( j,- been provided, along with a justification for their use. Otherwise, it. .. q
~ '
verification of any of tne final results requires a completely new y} .s fj
- f. 3.5-2 m
A . ,-., " ~~~. : : L'~:'. . .. J .,. ,. , . :... , , ~ , - .- .. . . . . . . . - . ..
[ , I . requantification of each OAT based on a.new assessment of applicable data for
$ t .: - I each action on the trees. 't i '4 l 76 3.5.2 Specific Comnents i.:'.
I N) Pt This section presents our review results for the individual human actions analyzed or which should be added. It decribes specific changes wnich we
. I M I consider necessary to properly evaluate human factors contributions to plant _ !j 1
}:j damage state frequency. It is extremely important to note that the procedures l gj i which pertain to the operator actions reviewed wer'e not provided to us, 4 l S although we requested them from PSNH through the NRC. Our review is therefore l necessarily constrained by the fact that we were unable to examine the source f { of the OAT analysis. In the absence of that information, we used our own i j experience with similar plants and the Seabrook systems analysis, along with
~ ~
a information aquired during a plant tour and sinalator session, to make
~t s
- judgements concerning the likely content of those procedures.
,4
- f g
.g d5 3.5.2.1 Operator Actions RT and OH
'O ,
M y g Tnese actions pertain to operator response to ATWS events. Event RT
.;J
]
g j :y; . represents the operator manually tripping the reactor from the control room l 6 3u ' and event OH represents the operator affecting shutdown over a longer time l f j .O 3 period when trip fails and the plant survives the initial pressure spike. These events are both modeled on one OAT. l (M *
.l q
The analysis assumes that the manual trip function must ce performed witnin
'}.
f' one sinute, wnicn we judge to be reasonable based on other PRAs and analyses V
'l 4
3.5-3 ,11 y 9
. - - ~ ~.~s, s n. s-.
e y.~.~~. - - . - - y ,. s
.s3 e p_ _ s 7 y m.w-,n.e . .
z
.. -. .. . . . = - = _ . . - ._. .
. . . . . _ _ _ _ a u
of the time available to reduce the pressure spike. However, the analysis treats the manual trip action improperly. The tree snows the manual action following " operator checks indication" and " operator performs diagnosis", and
.1 i,
a furtner, failure of either of these steps fails the subsequent action OH in
.g h addition to RT. We disagree with two parts of this analysis. First, tne t ] l manual trip action is a normal backup response for the operator. He does not ):,;
I evaluate the indications or make a diagnosis, but rather responds 9 ! automatically to the obvious plant upset witnout evaluating the precise 11 situation. Second, failure of a diagnosis, early in the event snould not preclude the eventual shutduwn of the reactor by event OH at a later time j i.e., RT and OH snould not be completely dependent events as sacwn on the
]; tree. Thus, tne " manual trip
- step should appear first, prior to diagnosis.
> Given failure of tnis event, the question snould then be asked about indications and diagnosis, followed by actions to shut down by, event OH. The
[3
"] value selected for the quantification of manual trip should be based solely on instinctive response, as opposed to diagnostics, and tnus should have a
')d significantly lower failure probability tnan cognitive errors in the one 7 minute time frame. It is also important to note, as discussed in Section lt Li; 3.2.2.9, that this manual trip action applies only to RPS failures in the e yu. ; electrical part of the system. Meenanical failures cannot be recovered in the A - one minute time frame. Ne G , The SSPSA evaluated event OH based on a need to take action to snut down the
- V reactor, essentially through emergency boration, witnin ten minutes. We 4
! discuss in Section 3.2.2.9 wny this is overly conservative and explain our
,.y i justification for assuming a time frame of at least 60 minutes. Thus, the OAT c.- j c; 1 (^ v should be quantified based on a diagnosis time of 50 minutes, ratner tnan the 9 il 3.5-4 I l . . . . , . _ -
a x ,, .. ... -
. .. .+...a . . . .
j . s p i i j.
.: j ! s ten minutes used in the PSA. The only exception to this is the case where a ;g! small LOCA occurs along with the ATWS, in which event a 20 minute time frame ij should be used. ':i A .
3,J 3.5.2.2 Operator Actions 001 and 002 i i Yi . p, - The OAT used to represent these two actions, which represent operator 1 depressurization for LOCAs when HPI fails in orcer to utilize LPI cooling, is al
'j {
a reasonable representation of the acts required. We disagree, nowever, with l the allowable time frame for 002, which applies to all cases except medium
. .) .I l LOCA. The time frame of one hour used in this case, is contradictory to 1 . , l assumptions used in most past PRAs wnich allow only 30 minutes for action.
Since the SSPSA offers no , justification or analysis for the longer time frame,
; - 'it is our opinion that 30 minutes should be used for all .cas.es. This means
~: (
; that there is no reason for event 002, since the only difference between the two actions is the time frame.
'd il , i i-/ i
- s 2 3.5.2.3 Operator Actions OM and OP
;t d *~
l Ik The SSPSA treats the actions OM, operator controls feedwater flow following
- W lj turbine trip failure (potential PTS event), and OP, operator stabilizes HPI j d, given he has controlled feedwater, on two separate OATS. We believe as i11 'i-discussed in Section 3.2.2.1, that this should be considered as a singla l 'a 3 i action, that of the operator preventing PTS, and it should have been modeled j ,
1 ' on a single tree. Thus, our first coment is that the OP tree should be
~a ii appended to the OM tree on each branch for which ultimate success, prevention
.ei ,
. of PTS, is possible. Prior to doing this, however, the diagnosis event on the i
I .
,; 3.5-5 lj
.~..,-r~;------ -- - ,~ - - -
[ - _ _ _ _ __. _
s 2 OP tree should be removed since the contention that this is one action implies
, 3
/
7 that only one diagnosis is required. This comoined tree would still require r'
./,J . - changes due to problems with the individual trees as they now stand. The a
remainder of this section is concerned with these specific problems. 1 l On the OM tree, complete termination of auxiliary feedwater flow by securing ') - both pumps is considered acceptable except in one case where if the MSIVs are
- : open, boil dry is assumed.. However, on another part of the tree where there d i ,
M i is a branch for pump termination, the MSIVs are not even considered and an 3 9 , acceptable state is assumed. This structure results in two parts of the tree N
'i enich contradict each other. In any case, it is not apparent how the MSIV position would make any difference. There will always be a need for feedwater flow to prevent a boil dry, since the steam generator SSR valves will lift to release steam to the atmosphere. Complete termination of feedwater is the same as failure of all feedwater in the first place, so that these branches on 3 the tree should always lead to boil dry. Further, since the position of the
'ce
;4 MSIVs has no effect on the outcome, that event should be removed from the -
A , tree. R : R Two unacceptable conditions are represented on the OM tree, overcooling and bo'il dry. However, these two conditions are both assigned to end state 2. lh 'J This iglies that these two results are considered equivalent in the SSpSA, l{:? j hf which is incorrect. The occurrence of boil dry is the same as that which 51 would occur during a total loss of feedwater sequence, and should be j considered to result in a core melt. We would give no credit in this case for '
- initiating bleed-and-feed cooling since it is unlikely that the operator would r recover frem his initial error by establisning this cooling mode.
f j V 3.5-6 i 9
.. ;=- . . . . _ . - - 7, .. ..: n .,~.:n a ;y ,y ,...,- - .-. . -.-.--
t
,3
- r-
... Overcooling, on the other hand, does not lead to loss of feedwater and core N melt but only to the potential for PTS to occur. This is obviously a nuch j less severe condition. Therefore, boil dry and overcooling should nave been h treated as separate end states leading to different event sequences.
ll3 C
.h For the OP tree, as stated previously, the diagnosis phase is no longer .a ij required. Initial consideration of tnis event should be handled at the
? beginning of the combined tree, and failure would result in PTS if all hl
? hardware systems function. This also addresses anotner of our concerns, wnich
- 1
;O: - is end state 4, ask bleed-and-feed. The SSPSA states indirectly that failure to control HPI results in a bleed-and-feed condition due to lifting of the PORVs due to charging pump flow. This is not a true bleed-and-feed situation ~,
and has nothing to do with the outcome of the sequence. The sequence result depeus only on the availability of'feedwater and wnether or not'the PTS 7.._s., results in vessel rupture. If feedwater is available and vessel rupture does 3 ' not occur, the plant will be sufficiently cooled wnether or not HPI is on,
.s off, or controlled.
b.a Y The remainder of the tree appears to be relatively satisfactory with the goal M e 1 t Q apparently being to distinguish between proper flow reduction and too mucn ij , i flow reduction. Another enoice, insufficient flow reduction which would result in PTS should be added. This would represent the case where the [y . fd operator correctly decides to take action but fails to prevent PTS anyway. ~ We ij ?) also question the need for the brancnes on the "SI not required" part of the 1 tree whien lead to hardware failure, since the failure of pumps that are not 1 required has no effect on the final result of any accident sequences. Thus, 'h . /' v these brancnes are redundant and should be removed. 2 i I 3 '. 5 - 7 i 1 1 a
.h
.. , . - . , ... ....y.....p. y "[ -)~. .. .m-- - --..-..--- .- - ..- ,
.= _ _ _ _ . _ _ _
~
, _a._ -
The failure branches on the OP tree (end state 3) properly represent operator errors resulting from the operator confusion witn regard to believing he should be stabilizing HPI wnen he should not. It is procer to consider nese
) errors, however the SSPSA analysis does not make it clear if tnis is properly ]-
handled in their final analysis. The discussion implies that this end state a i
- -l
;; l is added to system failure for certain initiating events based on potential ~1 ; ;j j operator confusion, but no explaination is provided to describe how this is .-n 2 done and precisely where it is applied and wny. We doubt, that tnis was done i
is , correctly, based on our review. An example of one place where we believe this U i' concept should be applied is the case of a small LOCA with botn EFW and HPI 4 operating, so that ne plant appears stable and the operator concludes that he has something like an inadvertant HPI or an overcooling transient. He therefore takes action to control or terminate HPI and does not realize his f- , error until it is too late. This would result in a core melt sequence
~
represented by the failure of HPI. i
. 3.5.2.4 Operatoc Action ON 6 :
ld o.; .
*$ l As discussed in Section 3.2.2, this action need not be considered for any case h'd i tj j except for delaying core melt in conjunction with LPI for RCP LOCAs induced by r -
j loss of seal cooling. In this case the action required is essentially
-}l i ;) , identical to action 001, so that the analysis of a separate action ON is not n ;
- y requi red.
O e c;y 3.5-8 d ..4 ' e' "1 .. . 3 1 t
=
-+ , . . . :_ : C .~~ .;. .%C 1 . __.y * ~4] , ",.e.,...- _
r--
. .w.. - .
_ _ _ . - _ _ - m
.4 g
}
3.5.2.5 Ooerator Action OR j The OAT representing this action, the operator initiates bleed-and-feed * . ~:} ; cooling, is a reasonable representation of the acts required. Most' previous
'3
. .i PRAs have assumed that with loss of all feedwater, which -is when bleed-and-E -I feed would be required, core damage starts at 30 minutes if a LOCA exists and
-[ j at one hour for transients. The SSPSA allows two hours to initiate bleed-and-
.4 j
) feed cooling, apparently for all cases. Since the SSPSA does not provide any
. ;4 i
- d
- justification or analysis for its assumption, we believe that the above
- 71 i
mentioned shorter time frames, based on event timings for similar plants,
')
should apply. p 3.5.2.6 Operator Actions for Recirculation (03. LR. HE. HS)
-j All of these actions, which represent some realignment of the ECCS systems j'. during the long term of an event sequence, are modeled on a single OAT. The l1 13- ,
SSPSA made this choice because they made the judgement that, while the precise et ; y ; actions required and the time available were different, the actions were
*y-identical in a general sense. We agree with this point.
i 1 id
- 1
- ;) We do not agree, however,'ith w the need for all of these actions. Action LR 2 Q represents realigning RHR for long term cooling of the core in the RHR mode (suction from the RCS as opposed to the containment sump). As discussed in
. Sections 3.2.2.1, 3.2.2.2, and 3.2.2.8, the credit given to this mode of cooling to render recirculation unnecessary is not justified. The refore ,
f 1 , action LR is not required. Action HE and HS represent realigning i a i 3.5-9 4 k
.p. we ese == - e,- ax ew +p . g ysg ,,e
, s
- 18 9'r89tPWe W N ** **"**M8'* * * * *
"%@#9 N
, - > 4.4_ . _q;u__ _ ,
,- recirculation for hot leg injection about 20 hours into an event. The two actions represent different system availability conditions. As discussed in Section 3.2.2.5, we believe this action not to be required. This leaves only action 03, wnich represents realignment of tne ECCS to provide nigh pressure recirculation.
n i
'? ,
d; !. d . 1 The OAT constructed for this event is a reasonable representation of tne M ; actions required, however it appears that it was not actually utilized in the b ,=.]~
, quantification. The SSPSA assumed, that this action is dominated by an error ;1 of omission in performing tne procedure, so a simple calculation was performed ?'
for this type of error and tne result was used to represent the entire l actio.1. This is one of only a few cases in ene SSPSA wnere it is possible to reproduce precisely what went into the quantification of a human error. probability, and it'is the only case which utilized .an OAT. The position that
'~ ~
this error of omission dominates is arguable, sinca there is also the l :!. o-possibility that the operatcr picks the wrong time to perform the action, or .J !d makes an error of commission in its performance. These errors should have 1++ been incl-uded in the quantification (they are accounted for on the 0AT).
,} l Furthermore, tne quantification contains an error in it. The SSPSA used dat i .,'
- j> .; directly from NUREG/CR-1278 (Ref. 3.5-1], from a table which pertains to
- r .!
- 7j
, errors of omission in the use of procedures. In the quantification of the
)v { action, the SSPSA assumes that a high level of depenaency exists between the lq .
lt two operators in the control room. The table they cite, however, states that l%
! If tne procedure is used correctly (one operator reding the procedure 'vith s
l ,, another operator performing the checking), complete dependency should be
- .y
! 3 used. Based on tapes of simulator exercises wnich we viewed during a plant i
.3 (v visit to Seabrook, this is precisely how the procedures are carried out.
3.5-10 l
%E* . y .,-.==.$~.I *.' EY.c .' "
-,[y
_ - , _ __.mye N =- e 3
- 1 y= , 6.* ,- ** . % y **l**"*~******
s Thus, complete dependency should have been used. Furtner, it appears that the actual reading is done by the snift supervisor while each operator performs e.[ actions on a different part of the control board. This means that the complete dependency snould also be extended to include the snift supervisor. i.d The SSPSA assumes moderate dependency between the shift supervisor and the a h operators. The only person not directly involved may be the shift technical
;d '
m3 advisor, who is free to make independent checks during the performance of the .2 [ procedure. He can probably be assigned a low, or possibly even zero, level of j?.i dependency rather than the moderate which is used in the SSPSA. In any case, i 3J . ?.j since the.snift supervisor is apparently directly involved in the performance 01 [ of the procedure and the shift technical advisor is not, tpey snould not have been assigned the same level of dependency. As stated previously, this action is the only operator action in the SSPSA ,c modeled by an OAT fcr wnich the quantification is presented in sufficient p detail to reproduce the result. We can only postulate regarding the other
- s l actions, but have to assume that the other actions have similar errors in
- j their quantification in the area of dependencies between menters of tne i '). control room crew.
- .4 A...,
f) 3.5.2.7 Goerator Actions for SGTR (GE. AI. OP41. OP42. OPSI. OPS 2 OG1
.i -
s
,4 #l The SSPSA does not provide OATS for these actions. The actions themselves are
}) , .y too broken up to be useful. OE represents diagnosis of tne SGTR, AI
- y'
.i represents isolation of a stuck open secondary ARV, the OP actions represent operator depressurization of the primary under different system availability conditions, and OG represents isolation of the faultad steam generator. Tnese ..i v
3.5-11 a
' .,..,,.-n.,w.---.--. u ,
,__ .. ,_. -., ; . . ,..- .g ,
.~ ~ _ . . . . _ _ _ - . . , . . , _ _ _ _ . _ _ . _ , . _ _ _ _ . _ _ _ . _ , . _ . _ . _ . _ . , , , , . _ _ _ _ _ - . . _ . _ _ _ . . , _ , _ _ _ _ _ . . - __ - , , _ . , _ ,
1 .
. .{,p .- __
t 3_
' actions should be contined onto a single OAT which models operator response to
~/ SGTR. It would have various conditionals wnich would represent the system y
availability and indicate acceptable success paths for tnese conditions, along
- } with various end states.
lI!, - Ei 3- We also disagree with the time frames allotted for the actions involved. The SSPSA uses very short time frames, on the order of 30 minutes. In fact, it is a G only necessary to reduce pressure and terminate break flow prior to depletion q q of the RWST, wnich we would expect to occur on the order of 6 hours after trip
-3
'n if cnarging flow is not controlled, based on information provided in Appendix B of tne SSPSA. This time frame could probably be extended to pernaps 18 nours if credit is taken for the use of recirculation to utilize water lost to tne sung through the PORVs. The longer time frame availaole snould be 1 . g, . accounted for.
~
j-l There is also some confusion regarding the nomenclature for these actions. y The SGTR event tree has two events, OR and 00, wnich represent operator s'a . actions to control break flow. The OR event has only a passing resemolance to 3.a
- U ,' the event OR discussed in Section 3.5.2.5; in tnis case it represents events S
q , OP41 and OP42. Simil'arly, event 00 on the tree also has only a passing ij j resemolance to tne event 00 discussed in Section 3.5.2.2; in :nis case it represents events OP51 and OPS 2. ' y.- 3.5.2.8 Operator Action EFR This action represents recovery of the turnine driven emergency feedwater pump
? '. during station slackout conditions. An OAT was not developed for tnis action, t .i J i:
11
- 3.5 12 s%
.I t
.,..,,..e.~nn.,,,-.,m._.
. . -e : s - ..- . - , - - - , - .
*-*,---~~=-*~~~~~~~*' '
~ ' *" ~'
; y. .
i t 3 and we agree that one is not needed , In essence, a detailed analysis of this recovery is not required for a very simple reason: the failure to recover 7 5 this pump will be dominated by failures that are not recoverable. The 53PSA O analysis snows this with their value of about 1E-3 for tne failure to recover. The use of a value of IE-2 or 1E-4 would not change the result. Even a value of IE-1 would have only a very slight and statistically k insignificant effect on the result. For this reason, we have not performed a
}'
critique of the SSPSA quantification of the operator error, and tne failure i' t rate can reasonably be approximated by singly subtracting tne fraction of i 4 failures wnich are recoverable from the total failure rate of the pump. 1 1
'.}
J (n the other hand, the assumption of anat percentage of :ne failures are recoverable has a greater effect on the result. The SSPSA assumes that one-f- , 'sif
. of the failures are recoverable. They state that this nunter is based on experienca and plant data from similar units, but the data is-not presented.
; The worst case situation would be that no failures are recoverable and
? ; , '! therefore the pump f ailure rate would be 'a f actor of two greater tnan that
/ used in the SSPSA. Under station blackout conditions based on our revised i
g analysis of station blackout timing (see Sections 3.2.3.1 and 3.5.2.10), h recovery of EFW would only mean that the time for occurrence of core damage . ...s 'M would be extended from one to two hours, giving an additional hour to recover
-q d:)
elect.'ic power and avert core damage.
...,.i .
$'d '
'! 3.5.2.9 Ooerator Actions SWR-1 and SWR-2
,i -
,d l . I The SSPSA gives credit for recovery of service water cooling for two possible
'l situations. SWR-1 represents recovering for the loss of main service water i
i [] ' 3.5-13 b..
- R
_. . - - .. - ,-. ---- - m , _- .__m .
. - - .. - ~ ~ - c. --
p: + m
o . t
- , , flow by placing the backup service water cooling tower into operation. SWR-2 1
a represents recovering from degraded cooling capability due to diversiS cf i 1 service water flow. In this case, failure to automatically isolate non-n
.' essential cooling loads is recovered by manually isolating these loads using a ? . .! backup isolation valve. The SSPSA assumes that the time frames allotted for $ these recovery actions are based on the limits imposed by the SWR-1 condition. -J .
1 ' a total loss of cooling. This is somewnat conservative for the SWR-2 case but
] .
j not excessively so. The time frames utilized are 30 minutes for preventing a d failure of nign pressure injection pumps and 4 hours for preventing core k l.1 ' damage. The 30 minute time frame seems reasonable but tne four hours is A 9 suspect. Since loss of service water nas a similar effect to loss of all AC l power, at least from the standpoint of RCP LOCA and loss of nign pressure {H injection, it sitould be treated similarly. Tnat is, failure to provide
~
,. cooling to the core within two hours' will result in core damage. The difference in this case is that cooling can be provided by secondary g
depressurization and low pressure injection. Thus, three time frames are ']
- q' l
; . appropri ate. Recovery within 30 minutes prevents any failures. Recovery p within two hours means nign pressure injection failure and RCP LOCA requiring
't ! use of LPI cooling. Recovery in the long term (6-8 hours) means core damage N i
- 9 can be avoided by recovering recirculation cooling.
- J .l
- ii !
i <l ,O i The SSPSA provides no analysis for this action. There is no 0AT and tne finai d I. . !y 1 answer is giveen witnout any justification or explanation. This action is not
- 15 t
~
- like EFR in that the failures of service water including recovery may not be fi dominated by non-recoverable failures. A more detailed analysis of this
,q '.i action is warranted.
.] F 3.5-14 1 ,
v 1 , s k
. w - - --
. .h . ._- em e- - + - --*- . - " -
we -- ~~ a_ v. -- . -
3.5.2.10 Operator Action EPR
- This action represents recovery of electric power following station r ,
-i blackout. The SSPSA provides an impressive detailed analysis that takes into i .
~
; i account: (a) loss of offsite power at various times following the initiating event, (b) loss of onsite power at various times following loss of offsite
] -
1 7 I power, and (c) recovery of both offsite and onsite power. The anal'ysis I
.j.e - '
demonstated that station blackout is dominated by loss of offsite power at d
.* : t=0, which did not come as a great surprise to us, since it has always been art *l.
Q , assumption of previous PRAs. We did not perform a detailed of review ene part
&1 ,
; of the methodology concerned with the subsequent consequential losses of I
~
offsite power because, in our judgement, they could not become important. l This greatly simplified our review. A The major problem with the remainder of the analysis rests with the time frames utilized. As discussed in Section 3.2.3.1, much credit is given to the l ability of tne RCP seals to maintain a low leak rate for extended periods of s time under blackout conditions, and we consider this credit to be i '~ unjustified. The SSPSA assumes that if auxiliary feedwater is operating, the h time available for recovery of AC power is 13.5 hours, based on their analysis
-l
! of core uncovery due to RCP LOCA. If auxiliary feedwater is failed, this time I
; frame becomes either 2 hours (if the operator fails to sned battery load to extend battery itfe), or 4 hours (if battery life is conserved). The SSPSA t
{ also assumes that diesels can be recovered only wnile tne battaries are still i} o j
.j functioning and'tnat, offsite power can be recovered at any time. As we have
! stated earlier, core damage will begin at two hours if auxiliary feedwater is
~! r^ available (see Section 3.5.2.5) and at one hour if it is not (see Section a
J i o 3.5-15
- l
..~
. . ~ Q -7 " ' .'tM .,L y~b y. -, *...,M.,-- . - . _ . _
.~,.-.,
_..e.. .,.
~, .. .- .
~: - .p:p.);y'. ,s _ _ . .
1
, 3.2.3.1). Thus, the t'ime frame for preventing core damage is much shorter and
! battery lifetime in this case is not important. Recovery of electric power in d the longer term may be igortant to containment failure mode, and in this case -
battery lifetime plays a more important role. However, we believe that no
]
credit should be given for the recovery of offsite power after the batteries tj j are depleted, since control power to breakers, switchgear and other
.j . instrumentation circuits will nave been lost, and significant " heroic" action
'i will be required to restore offsite power to the plant. Thus, the assugtton
} ,
should have been made that the failure to restore any AC power to the plant
'j 1
+
i price to battery depletion results in a " permanent" loss of all AC power. l Recovery of AC electrical power in the long term affects containment failure mode since tne power recovery will allow recovery of containment cooling X functions. In this case, battery depletion would play a key role in the , ability to recover offsite power. The SSPSA considers three _ cases for battery c.t
-[~
. depletion, at 2 hours, 5.5 hours, and 9.5 hours. The 2 nour time frame I
.j represents the Itcensing requ'irement for full load-carrying capability and G:
4 assumes no action on the part of tne operators to manually shed load to extend
? :
j battery lifetime. The longer lifetimes are based on utility analysis of the effects of operator action to shed two levels of load based on proposed } ]
.j l
station blackout procedures. The 2 hour time frame is most likely j , conservative since the conservatisms built into licensing criteria to assure v
'. that the 2 hour capa0111ty is positively met also assures tnat the realistic s .i capability is certainly longer. Similarly, these conservatisins most likely would also have an effect on tne longer time frames, furtner lengthening them. Overall, however, the nunters are approximately what we would expect .] e
based on tne detailed analysis performed for NUREG/CR-3225 (Refs. 3.5-2 and
- a
, 1 3.5-16 1 1 :
.-v=.. [, [- -
, , - -. +. f ==a-*=e-c..ay e .~ s + . ., f in r==.rw * * .. *-v evr7* s ', * ?. " .* ?s, * ** . * * * - * * * -
m.
.~
0- , _ M d^ # 4 3.5-3]. In the detailed analysis [3.5-3], surveys and interviews of a nucoer u
] of utilities were conducted, and reviews were performed of GRs analyses of ERs, and other relevant documentation. Battery lifetimes for all plants =t i
- included in tnis review ranged from 2-16 hours. A large majori y had 4-6 nour
{y I range, and most of these were clustered around 5-6 nours. The long lifetimes '? (up to 16 hours) resulted from detailed analyses wnica used realistic loads "j l and took credit for tne operator following a procedure to accomplisn load
'd- ! snedding. The very snart (2 hour) took no credit for load shedding and tney q
tended to occur in older plants with undersized batteries. This information
] provided tne basis for selecting five hours as a reasonable estimate for ] battery life. It was supported by a sensitivity analysis that snowed battery j .i lifetimes as snart as 2 hours, or as long as 12 hours generally had very little effect on core melt frequency. The SSPSA, as stated above, used tnree -
n, different hattery ' lifetimes (2, 5.'5, and 9.5 hours). They assigned split l2 # ' fractions of 0.05, 0.80, and 0.15 respectively, to these lifetimes. This ,I K l] assignment was arbitrary and not based on any analysis of the operator actions
. required, and no justification was provided for these values. We believe that ;.'t an OAT should have been developed with tnree end states representative of the fj three potential lifetimes. We hasten to point out that the battery li'itime s -
! j values used appear to be very conservative. For example, if we assume that ~ ',d the operator has about one hour to perform load shedding to extend battery
.e j i lifetime to 5.5. hours (a reasonable assumption based on the depletion analysis), and apply a screening value based on the time dependent cognitive T.I error model presented in NUREG/CR-2815 [Ref. 3.5-4], the result is a il probability of tne operator failing to shed load of 0.001. Thus, the split 'l y fraction for the two hour depletion time (no action) should of on this order,
- s 4
wnicn is a factor of 500 lower tnan the value used. As stated previously, we 1
~'
3.5-17 B k,.o.,-.,, y, -,. . . .... .,- ,_,_ cm - . . .. .- - - . - - - . - - - - - . - - - -
1 - believe an OAT should be constructed to represent tne proper actions, however, the applicable procedures were not provided to us so ,that it was not possible ' f
-t Q .. i for us to construct one. .
1 ? y i - 1 In its analysis, the SSPSA included the possibility that the station blackout
'1 fj condition could occur at some time following the initial loss of offsite power due to failure of the diesels to continue running. In general, the analysis .- of this condition was well done, but the previously stated time frame problems have a profound effect on the results. However, we would not expect failures $ to run occurring past the two hour time frame to have much of an effect on the .3 ]
- final results and thus the corrections needed to the model would be minimal.
. We reviewed the recovery factors used in the SSPSA for recovery of offsite
~ power and recovery of diesel generators and compared them to the data sources i G - most often used in the analysis of recovery in previous PRAs. The offsite j power recovery curve compared very favorably with the data for the Northeast
} ;
; Power Coordinating Council, the region whers Seabrook is located, as presented h in EPRI NP-2301 (Ref. 3.5-5]. The diesel generator ' recovery curves were quite 9
bd optimistic when compared to information presented in NUREG/CR-3226 h (Ref. 3.5-2], at least in the short term (the first four hours). The SSPSA "?I values are claimed to be based on LER data and EPRI NP-2433 (Ref. 3.5-6], combined with consideration of auxiliary operator response time to reach the y j
- diesel room. In the absence of the information necessary to reconcile the h '
differences in the data from these two sources, we would be inclined to use l
.j the more conservative data in the initial quantification and perform a
.); sensitivity analysis to determine if the SSPSA values would have a significant
- - effect on the overall AC power recovery curve.
j! b l* i j 3.5-13
,e - . . . . - . . . . . _ . . . . _ , _ . , . . . -. .
i
+ _g .
i i
., References for Section 3.5 Q
d . t 52 3.5-1 NUREG/CR-1278, Swain, A.D., et al, Handbook of Human Reliability Y , 7 , Analysis with Empnasis on Nuclear Power Plant Applications,
,7 i
- } 1 Septeveer 1980.
6] 55
$I i 3.5-2 NUREG/CR-3226, Kolaczkowski, A.M., et al, Station Blackout Accident i
e .!.
. Analyses (Part of NRC Tast Action Plan A-44), May 1983.
- 1.-4
. 3.5-3 Personal Telephone Conniunication, A.M. Kolaczkowski to P.J. Amico, i
October 1984. l 3.5-4 NUREG/CR-2815, Papazoglou, l'.A., et al, Probabilistic Safety , 4 (] Analysis Procedures Guide, January 1984. A ;
, i 3.5-5 EPRI NP-2301, Loss of Offsite Power at Nuclear Power Plants: Data (l I and Analysis, Maren 1982.
m 1 . s . bj . 3.5-6 EPRI NP-2433, Diesel Generator Reliability at Nuclear Power Plants: Data and Preliminary Analysis, June 1982. y]? .
.i
~
. l-i.
1 i i i V i b-
, 1 l ', 3.5-19 i
- . - ~ ~ - ~ ~ ~ - , - - - - - - ~ - ~ ~ - - -
y - - - _ . ge
=a 3, 7- , , , . , , . . -. . .
- - - - , .- _ ,. _y. -- , - ----,.yw y -c.------.
i *
.l 4
- .s 3.6 FAILURE DATA
../
. This section presents the results of a review of the failure (and unavaila-bility) rates used in the SSPSA. The review consisted of: (1) Comparison of I
"j the individual random component failure rates with similar rates from other e
'] ,
sources, and (2) Review of system failure probabilities and unavailaoili-ti es . The subjects are considered in separate subsections, following. I i "4
't
, 3.6.1 RANDOM COMPONENT FAILURE RATES i
; The SSPSA provides a discussion of random component failure rates in Section 6 l (Data Analysis). This section provides a good discussion regarding the use of data and the derivation of failure rates. The actual failure values for some 2
I < 60 components are provided in SSPSA Table 6.2-1. (t -
. The derivation of the SSPSA Table 6.2-1 values is said to be based on applicable data sources, adjusted for application to the Seabrook plant.
1 However, the actual derivation of tne values and data sources, and adjustrents
. employed, are not given. Instead, for these details, reference is made to two reports (6.1-1 and 6.2-14) both of which are indicated as PLG proprietary, and a 'l .
' i 1.1
; no report titles or dates are provided. These reports were not made availaole I for this review. -
i
# i In order to arrive at a judgment regarding the validity of the SSPSA random component failure rates, tne 60 entries in SSPSA Table 6.2-1 were compared
[ ..-, 3.6-1 I i
'...1"~...~' - ' _ ~ ; ~ ~ .;'. . . ~,~ _"" ~
_f... m .
_ . . _ _ . , m . .
~
6
'l with 12 other data sources. These sources consist primarily of failure rates
! generated by the NRC and its contractors. However, for added perspective, l
; data from two industry-sponsored PRAs were also added. These two PRAs, for f the Zion and Millstone Unit 3 plants, were selected because both are for j Westinghouse PWRs (similar to Seabrook). Further, in one case (Zion) the PRA
! was produced by the same organization (PLG) wnich performed the SSPSA. The
- - )
i* ! Millstone Unit 3 FRA, on the other hand, was performed by Westinghouse, and J. the data sources and derivations are also claimed to be proprietary. This
?
comparison does not imply that any of the data used for comparison is considered more valid or robust than tne SSPSA data. Rather, the comparison is used for screening purposes to identify any SSPSA rates which appear to be
, f inconsistent with other sources. If such incor.sistencies are found, an
.'i l attempt is made to determine the reason for the inconsistency, and at tne same
- . time an assessment is made to determine if the inconsistency is likely to have a significant impact on the overall SSPSA risk results. The impact of component failure rates on system innavailabilities is evaluated in Section
'i 3.6.2 following. _
I i Table 3.6-1 provides the comparison between the SSPSA values and other data
} sources. The first column describes each of the 60 components. considered in tne SSPSA. The second column provides the failure mode, and tne third column "> - is tne mean value used in tne SSPSA. Mean values were generally used in the i SSPSA as described on Page 6.2-21. (All values in Table 3.6-1 are mean values
- except WASH-1400 which are median). These first 3 columns are identical to f
,', t those in SSPSA Table 6.2-1. The fourth column provides the ratio of tne mean 1
-1 j to median SSPSA values, both of which are provided in SSPSA Table 6.21. This column is included here to provide an indication of the skewness of the Insert ;. Q 3.6-2 I.
I l
--.-----,,,m,.,. . + . .
..,,,- ~~n - - -- ~ - e m --,- ~-- c . ,- ,
.ed.,A., *- w 4-
< . $- . mkE$ub> ~~ ----.m. . . . : w. .--a .. .
i~ l ..... . . . . . . . - . . . . . . . -.- (- n. t (
.. )
1 I . Tetle 3.6-1 , ,? COMPAA15818 N CONp0Itai FAILWRE RATES f I. i Eles F33 t WA5N-1400 tER EG4G F55 Millitene 3 Matt 005 Itsee Ceapement Sescriptlen failure Nede itsema MKee IREp/(1,2)(Medlea)[3]serived laEP (6) (7) P55 E4] etter 2.ME-3/d 1.5 4E-3(1,2) IE-3(2) 3E-3 (4) IE-3 f.FIE-4(F) I . Jet-J 5.Jt-JII7 g 1. lieraally Operating Fall to 5 tert en pensed 3.3M4/h lE4(2) M4(2) M 4 (4) IE 4- 4.3M 4 2.4M-6(6) 4(3) . Ater4 riven Pump fell Surlag heretten 2.1 k!N-3(2s)
- 2. 5:endt,y noter. Fall to 5 tart en semend 3.2w-3/d 2.s 4E-3(1,2) IE-3(2) u-3[4] hflN4(2) 1.34 te Orlun pw M-3(4)
I.9 X-6(2) lE-6 [4] 4.26 se 1.69 to fell Surlag aperetten 3.4M4/h IE-6(2) 6.M-6(4) 1.6M 4(4) 3.344-2/d 1.3 dE-2 1 2) lE-2 [4] IE-2 2.2M-2 2.58f-2 8.IE-2f29)
- 3. Turtlas-Stives fell to $4ert en gemend 6.lM-4 IE-4 (29) 1 pump fell Surlag %eretten 1.4M-3/h 2.4 M4 Il M -5 [4] lE4 F.6M 4 P 4. Ventitetten faa fall to Start en Benead fell Burlag herettee 4.84E-4/4 4.8W4/h 1.6 8.3 J
.] f j
- 5. Coellag Tamer fee fell to Stort en Gemend 2.9M-3/d 8.8 '
fall Burlag beretten 7.0W 4/h I.3 I
- 6. Centrol mean West. Fall to Start en temend 8.eM-3/4 1.5
- llettee Chiller fel bring herettee 9.44E-5/h I.3
[). I 2. Air Ceapressor , fall to 54ert en Semead 3.2W-3/d 2.8 ; j f all bales heretles 9.stE-5/t 2.6
- 1 i
- s. Ntur-Cperated fell to berate en temend 4.30E-3/d 1.4 4E-3 4E-3 (5) IE-3 1.6M-3 0.96 to ,
Valus 2.M3 (6) Treasfer %ee/ Closed 9.2M-8/t 3.0 M-7(epen) IE-F 3.l4E-4 8.44 to 2E-7(closes) (apoe) 1.M-5(epen) E . 2.lM-e(closed) i ' 4 fall to Close se Benend 1.0M-4/d 1.4 I
.! Estes ,s. semens rates serives Free operettenal rates assussag amately testing .
2 Rates get segregated for normally operettet er standby pumps
*eetes are destgaeted /d (eer densed) $ th (per trl 3 Sete esed for service meter pumps i 3 (spettel notellen; 2.5E-3 2.5sig -
I s Designates refersace i 4 1 Beage of rates for verlous steadby pumps (818. AfWS, Si, C5) * [ ( ) Destgaetes feetmete i 6 i for service water pumps I a 16't Benge of values depending en systee (C5. CWC5 EST) il' LPi for *alternetlag* pumps I
?
l
,u . - _ --- _ .- :... .. AML.l,;;;;s * ~ 7 W@K " ' ~~
- ,,_,.,_1 ' 6- ' . ; ,71 E o,, ; ,;.L, _ , ,, , , y ;,, '
.f . a _-
.s . _- ...
?
' (
) .j fI ; I d 1 i-j , Ishle 3.61 (Cent.)
-e ; M.
- CGIPAst$31 W Caertifat iAltist SAH5 1, d i ru 4
i Staaseen see IAEp/ nes5al.1400 LES Esas flen sellistene 3
<li
'A componens sescription fellere Isode semen
- en 88EP(1,2) (seedlan)(3) serleed (4) P55 (7) pi$ [a] ether *
]' _ 5. seienese verve reis se operose en ummens r.a m-are z.s 1 1 (direct actlag) Treester ben / Closed 1.2M-6/h I.6 ,
3l Smelag operettee ,
- 10. Alr-aperated telee fe:I to herete en sensed 1.6N-3/4 1.4 3E-l M-4(6] IE-3 1.44E 3 4.6M-3
} - s -l 9 4E-3(1) M-3[6)(6) 1 . $ Fall to Transfer to 2.6eE-4/d 2.7 ) ..I i fAlled positten transfer bee / Closed 2.6M-7/h 2.4 lE-7(epea) I.lM-7 4.M-6{epea) q ], smalag aparetten M-7 8.3 M-e ' - (cined) (clued) J -j 8d II. Electrahydroells fell to teore'te en semend I.6N-3/d 1.4
- j m Walves (escept Ironster b en/ Closed 2.6M-4/d 2.4
. g 15v and K W) sierlag aperation i N 12. Butterfly Tempere- fell to berate en somead 1.6M-3/d 1.4 4E-3 2.64E-3 ,
g ture Centrol tolse fell to Tremster to failed 2.64E-4/d 2.7 . j , posiglee ! e itenster bee / Closed 4.2eE-e/h 3.2 M-7(apoe) I.6N-6(epos)
^
. enring aperetten M-7 2.l M-4
- (closed) (cleted)
I <
- 13. Check votes (step) fall to aperate se Bemend 9.l M-4/d 2.2 M-6(1.3) 4.3) M-6 IE-4.4.31 4.2M-6 3.N-4(31 !
IE-5L IE-4'6l38 i eeverse teetese (gross) 6.ME 7/h I.7 if-7(3) M-7i 3 (3.4)(6) IE-6.6l3) IE-o' 3 {3L 7 s.ast 1.64E-6(2.3) Burt beretles Treals er Cloud, pl.e M-7) (3)(6 (2.3) g
- 1. set-s/h 1.3 .
- 14. cha t tel.. fell to 4perate en annead 2.6w -4/d 1.s M-6(I.3) .lf-4(4.3) eE-6 IE-44 3.N-4(3)
(ether then step) (3.4)[6] IE-3L64,g 4.2M-6 (3) j ee.orse leasese e.rs.g operette. focus) 6.3u -7/h l.7 M-6(2.3) M-7(3) u-7(3) (3)[6] IE-s43) s.3er-7 (2.3) 1.6u-6(2.3) ( Treaster Closed plus 1.e4E-e/h 1.3 , i )I ~l l J aietes: 7 Someed rates derived fres agorational rates assuolog meethly testleg i $ *eates are designated /d (per demead) er th (per br) i t'. Fallere te seet, escessive leakage ! y (spemential notetten; 2.K -3 = 2.6 10-3 1 El Sates for check velves la general (met segreested hetmeen
- step
- end
- ether thee step * ,
[ ] Sistemates reference .,4 i fell to spee ( ) Bestemetes feetmete ' 6 Includes commend feelts i e l fell to close i 1 i ! l Li , i a j h
'I '
l )
. . . . . . - 1.-- =- . - - . ---.-- ..
6 2 - . t 5 m
- ~ 7 -
. T *i
=::
=;
y . : a e. ~- ~ 4
. *1 3.- I3 I
, -se as ,
f a,
; 3. 5
- 3. .
= . 3
" ~
1* 4 I
. =a w .
E . 3 : y :: :: :
= j4 .R E
*O BE $$ $ $.
3-i = .
-]
' 3 J r 3 -
! .i W %% g i
F', .
-a El k$ .
l j ',:
. g a ~ g. e~ ~ q. en q e, e, n ~ t i
Em ~ g 24 2R R-
-RR
-~ ~
RR R _~ ~ Rf. R
~
R C
** ia "i T* i "i i 5 .
i ** 1 *3 ** 3 *
.In
.4 E.
**~.I.
. 9" au -
9
-~
E.l. ~-
*N **
~
N 1 2 L. te F 3 3 1 %% 8 : F 1 . 3 g 3 = *- Ia - Is : G
- 3
. J .c a "t r's I 8: : 31 . 22:: 4 si j~ - -
2 6 e : 1. I: a:: la
= = l:as3 4ge 3:2 : .:
5i 23 32'2' 311 8515i ==:==
=I ==.=_ == : s 5 ::a::
25r 5 :I t-23 :: ::s:s ::1 =23:s a ~* . 2 R~g:: *
,:_ g:. -
j 5 ~ g :3 x - 3 se t r et : eg - _3:.. 3
~. A sw . t a -
g -
- ,, : I 8:gg:__
. : : __, g l
- === 1 -
=
- h.gj 2 25: 2 E -2 4 :: -
}
o O 3 2 2 f. E Jf'**~ f I l 3.6-5 I. j .. . . . . , _ . -
.., ---_~s , , - - -,,, - - - . . - - - - - - - - - - - -
m - - - -- e:
* , )
Table 3.6-1 (Cont.) ' CasPAAIS0li Of CibePONfMI FAltuRE RAIE5 m non
.- Component Descripties failure lende 5(A4400K leeaa ISEP/ WA581-400 114 EGAG PS) millitene 3 Component Descripties fallere stede steaa* MWee letP[1,2) (Median)(3) Servied (6) [7] F55 [8] Other I 22. sect Draft Damper fall to Open en Sensed 2.6 M -4/d I.9 i
{ 1ransfer Closed 1.04E-4/h 1.3 l
- 23. Heat Eschanger Septere/f acessive Leakage 1.95[-6/h I.6 M-6 l(-9(tube) 7.lM-F l[-6
; Arlag Operatten
~
IE-6(shell) , l
- 24. Storaes Isat aupture bring theratten 2.66E-8/h 2.7 4E-te SE-10 i 26. Contalement Plug Durlag Sporetten 7.0M -8/h 2.4 F Selldlag spray horsle m
, e ~j " 26. service Water 6.2M-6/h 1.6 IE 5(I) it-5(1) fall purlag therstlen M-5(1) ; Strainer
- j 27. Ventilation filter Plug 1.0M-6/h 2.7 e
- l 28. Ventilation teuver Ping 1.0M-7/h 2.7 ,
1
! 29. Plpe 3-Inch supture (per section) 8.6ef-9/h 9. 4f-9(2) IE-9 4.6M-9 8.M-9(2) 8.M-9(2) i Olemater ( 2*)
- 30. Pipe 3-lack Rupture (per sectlan) 8.60f-10/h 9. 4E-10(2) 11-10 4.66E-10 4.M-14(2) 8.M-le(2)
Blaaeter (2-6*)
- 4.66E.ll
( 6*)
- 31. Valve (actor. Olsc Supture 1.6bE-8/h 9.4 operated er check) ,
Etes:
*Astes are destgaated /d (per demand) er th (per br) (l) for all strelsers (2) facludes plegelag ,
ebatlalnotetton;2.M-1=2. signates r Sal 0*3 ( i 0.. .maies eference tnoie I r i
. - _ . -.2._
o o M. W . 2 3 N .
- 5 4 A o
S
- n. .
3
=,- xa M W
=*
EC* A A A . 7 7 . 5 W N
- 1 x
- s. .-
..~
. ~. ~.
n s i
~.. ... ..
4~ t ~~ ~~ .
.,. a. m. ..
i 3.
. N .
-. M 3.
. ~
M.
~
h3.
, . - ~
. ~.~. . .- -. .
A 5W **X* ";3 i 2 - =t-m .,6
. .m ~
".% *% I
; w g 27. -
- . ~~.
~~. It
=. X.
7 X. X. 7 K. W. 7 :
.=.e g
- 5' 1 f M M ~ ---
--- .3. -. .
u -
- - . '5 = -
- ~
33=3 :2 : a ..
- 1 .
FI.:tJ
. m'::: 2 l " *
~. ~. ~. ~.. 33.3 i <- = I. M M W W 3 3 2 3 33{tt....
m s , g g '
, .5 ..
. ~. .
. =. m. ..... ~.~.. .~ ~ i 2 !. :=,
1.4. C2 - - - - .~ . I w
. =7 i , g . . g . ... ,,, ..
- k. ~. k. . ~. T' k. k. . %. k. .
8* . . W23 **5 2
- ~
- N 3 * * *2
.~
! . . . ..~ -~
l 32 4 2 4 J J J J44 444 44 -
! 2 a 1 ' ,1
- 5 5 5 3*1 . *3.
2 J - 1 s a : o g *- g =.
=. =. Aj3 -
2 Ag3 85 g 8 5 IJ 8.J I =. b. 2.. . 2 ..
.. 5' E' .2. ... .s -o
. x .t. .
.t. .
g . .- -
. } g g
.3
.- .3
.- g
~.
- =. = ..u= 3 ~t 5' g 3 =.=. -3 : =. g )
t
=. =.)' =. g =. -- __-g
. . . . . - ,a.
, 5 6
-g .
... 18..3
..3 2 *
- i. 3
. 7 27 1. . &***
f X-. I. ~ ug f. J g l . [.
.5 . 5 ." . 6.aI ..
.~g3 2 4~* *
.~ .. 3 . . ... -k.
3 2 .. .
- 2
- 3: **2
-- -- .t.W 2 .aW 2. 3 *3
.. .. g~2 u
t a m e e a n m e a n
=5 S..
3.6-7 1
.....y.,.-,,,,,..,. . . , . . - - , _ . . .- ,, . , _ , . , , , , ,
.. . . . . _ . - . - . . .r-....... . . . - .
2 5
- , - s 7.-
n n .
.I. ... ~ ~. . ~.
4-. W 7 3 x a
. a 3 * ~
E *.l: 2 4 4 W 4 4 4
~ .
YY ~ M * *. Y* 1 3 i 1 t _3. us I.
~ ~
2 . 3
- a. ~.
e . ~ ~
*3
~ . - -
. 7 . . . . 7 . 7 7..
3.
.h
= 2'
. . 2 h. .
5 - ,
. e, E.
! .= 3.~ 7 - -
% g :- 3. 3 3 .,.
~ -
~. .~ ~. .. .s. 8 . . . ..
= 3 .. . . . w
. y =
g - 3 W 2 2 4 *
- 22 =%* *2
.- g 3 -
- =
I: m.
- ~ rag. *
,' - . - - ~ ~
- g .. ..
,.. a-'" ;er. 7 7 ~.
W . . *3= 2. -
* * ..g i
^
. 12 MN * * * : .t.
- _ .
g g . &. s.*2. .:g i j 33.E*. ]
- : : : s - p- pw s
. . ~~-.~ . . . .,
- ca : a: aaaaaa: a -
)w , , , ,.. _ ._. _-.
I l t
~. ~. . .
. ~.
. ~.
3 I *. $
- 3 *. -2 ~.~.. s: * *
- I2 ~ 3~ x.
q .
.) 22 4 4 4 : 4 .: 4 4 4 4 4 aJ J J I
I 1 1 1 5 A 5 8 5 5 5 8 5 3 3 5 a
- . . . . E g . . g . . . . %
LL- 2 : . : :. .
- : : :. 5.*
5F IJ I$$..E&2 3 6 EEE& 3 *.
. . .5
. F .F. -F .
&F - -
-F & -F .F.
F -F. 3 .: d 1*=.17
- J J J E: A A A J J A 4'
, =. ua
=. = '&* =
w
- = = =.****=. =. =. = = = =. = .
~t W'..
i
% ~ de .,
- 6 6 8 M .
6
- o. .J'.3
* -3
% & 3 * = : 1. 2.
.=
-~
6
=
4 - -
.e
.e
. - S . . ws g . .
4
- a =
6 .= J J .t X:
- 8. . .~
. : a 1*1 1 t y .
.m . 6 . g . g . .. ...
12 aa ; 2 - *22
.=
- - .I. .I w - ..
.. g,.,-
. . . . :, . ..~
- q y 8 f . .~.. . .
.- . W. .2 29 3.6-8
l11
~
Ie s * ! [ 3 li 3 l ( a- e r t sl M) e
. h t 2. l 2I l
2. 2I l l *
- O 3 ) )
s 3 3 e ( ( e l 6 6 4 t) - 6 - - - s$ - E l( M M M e l5 6 9 9 3 i5 M. hP 6 4 2 2 3
) 3 s 2 - t
. (
6 M n e s - 7 el) lp li7 E g sP[ l -
- s e
) ) u
)
4 4 o l 3 3 hg ( ( 1 " n 6 6 6 6 t G) S - - - -
)i lt G6 E E 2 t l s E( l I 6 I ee cWg
- 5
) t .#
. d 5
( em way e 6 (rr v - ct i e msn e Rr E e M. t g tD 4 sag S yl n
. E I
sri m A
] us S
3 dds 0[ e i
. E 0) ) )
rym
. 4 n 3 3 t el iu 1 a 6 i dwl s
( u e opf ue a.
- )
t l Nd i 4
- (
6 6 4 c r if 5e t A AM M. E
. n o
F W( E I 3 M X I ic i yt 1 crr C i eee2 ( n r pt s i
) e p
st a6 2 al 1 6 3
- 0 m
P M O i/[ rPP 1 5 5
)
3 ( 7
)
3 ( F 3
,l snn eo yt b r
o* ol tt e o TEE - - - - - r eoeT l e f C uma r sil M E l M M E 4 i s gf r wta u4 b a o rt el5 rolti7 T s ehoea5 0 n e rSVsf5 5 n t
-- l A na e 6 6 3
- 7. F.
7 7 3 5 , I2'3t56 i l
,1 A
P h rmM 1 2 I 22 2 2 1 5 i i'iii'i 0 C 4 4 h hd h h d d _g / / / // / / / /
. 0 6 4 6 6l 5 4 3 5 0 - - - - - - - -
. a*
sa E 0 M M6 ME 2 M M M M 4 6 g5 3 3 6 2 As e .
)
wESM F 2 4 28 6 1 4 3 h d d d b r w n en en ea n o n a d n r
, a g a e
p m l m i m
. a o D e
i n t e aD tt e t a D e m s ( e r r r r O h u en e lt n e n t a e p e n
. e r
e e Dd 4op b E e e r3 e-d p t e gi g g t t 0
. o O a t nr a n a r )1 M r r iT s i r e d a g
n e oh r r r u e s a n5 a he o e e p . r u i r S S tt h D o l m2 e l u o r ee e e o o d = O t e rr r r t t ia l n uu u l ll l u l l r3 e-f l . l l e ii i i l l p a a p aa a a a a f f O ff f f F f ( M. d2e
/ ce d ;nt
- e e o dneo
. e l ) m eern
. l h u C 3 ttet t c d D A l atf o ip it le l e yW y5 f
p o r naeo gtrf s r r w b l4 lE i t o c s e t S C a ic p2 pe p( p T r n o isnee e tt e et e g u uC C dlaa D rl r l o s ) SD rr ann ue u o r t C1 oe e el gg t ss s rDA rV tk l g rtii
, n sn s t lp e 7 e0 ca aass e ea e n wv1 w2 ae n ) eee n rr r o r o5E cl er Si 6 s nDD o
p pI P C I P e( Pe Rt ( seo et pj) m . . . . . . . . . t a s o 2 3 4 5 5 6 6 7 5 0 5 S g 0 6 oR[E( n* C 5 1 w.?lu
,l, '
iI.I lI.l$ ?j ,
.) /j,?
.,. j - ' i i,1 ' , , . , iI tl i . .
. I 14ii.1 J 11*
r l
*- . _ . . . . . . =- -- --
~'
distribution assumed for the compor.ent (311ure rates in the SSPSA. (SSPSA
)
Table 6.2-1 also provides tne 95tn and 5th percentile values. These values ! I - nave been omitted from Table 3.6-1 in order to minimize the numoer of j
- columns.)
~i - .I j All columns after the fourth provide comparable data from the sources 4
identified in the heading. In several cases, the data source considered only h, a few specific components, while others considered a large nunter of different components. In a few cases, to be considered l'ater, no data source was found for the SSPSA component. ' 3
-1 1
1 In examining the Table 3.6-1 comparisons, tne following general observations
]
appear valid:
]
3 1. Pumps (Components 1, 2 & 3) - SSPSA failures rates for pumps are
- consistent, and somewhat conservative (somewhat higher rates), with
~
respect to the other data. _ i .
- 2. Fans, etc. (Components 4 through 7) - No comparable data were found 1
; . for comparison with these components. However, these components are
'.3l v
; typically driven by electric motors, and the rates are comparable with otner electric motor-driven components (c.f. motor-driven pump) i i
.j j as well as the WASH-1400 rates for electric motors (3E-4/d for start 1
,.J
- 1 failures and IE-4/hr for run f ailures).
3 ' N ' d, F1 l*t
, ,] -
. 3.6-10
; m.
b go-,=; , **== -. * -****====P******-*******-e-- -+* --
-F--*'"M N w W "* * * * ' " * ~ ' **"***"~'"**"*?'**~'*-'"*' -'T
- y' - y -
mp - - - * ' , - -
--e-- ,,- e w
.i .
- -, [.c *
- 3. Valves (Components 8 through 19, 31) - For enose valves and failure modes with comparable data, the SSPSA rates are generally consistent and, in most cases, somewhat conservative. The only exception is the
rate for butterfly temperature control valve (412) transfer '.i open/ closed during operation where the SSPSA rate is considerably lower than the Millstone 3 PSS and somewhat lower than NREP/IREP. $ However, this component failure mode nas not been found to be risk $1 ~8
- significant in PRA studies.
t
') In two cases, solenoid valve. (#9) and electrohydraulic valve (#11),
comparable data could not be found. In these instances, the rates are generally comparable to other active valves and thus appear reasonable.
~1 li The rate for disc rupture (#31) could not be verified against
~
,j . - g alternate data sources. This particular valve failure mode is the U subject of an assessment'as part of the V-sequence analysis (see l -
,4
. Section 3.1).
l{ Two additional failure modes could not be verified: 48 (fail to y] ; close on demand wnile indicating closed) and 110 and #12 (fail to transfer to failed position). However, these failure modes have not been observed as significant contributors to important accident h] ,5 sequences in PRAs.
- !j
.y
- 4. Dangers (Components 20 tnrough 22) - No data comparisons were found 3.;
for these components. For the pneumatic damper, the rates are
-]
i 3 T 3.5-11 . -j v 1 I. - - . _ , . , . . ,.,_,-,;3.--., ...-...._____.---.ys
...,3.., . . - , , - -.-y
'. i;- "O ; ,
a, essentially the same as for air-operated valves, wnica is
. reasonable. For the fire damper (#21), only an inadvertent actuation failure rate is pegvided. Neither the validity of the rate nor the
; ' significance of the event could be ascertained. The back draft
, damper rates are identical to check valve (other than stop) #14, and M tnus appear reasonable.
cl
.] 5. Miscellaneous Passive Components (Components 23 enrougn 28-) - This ,1
- 1 group includes six components, witn data comparisons available for
'1 3ree. Of tnese tnree (#'s 23, 24 and 26), the SSPSA rates appear i
fi consistent except for (24 (storage tank rupture). In this case, the
- 1
] SSPSA rate is cons.iderably higner tnan the two otner rates found.
However, storage tank rupture does not appear in any dominant j sequences (see SSPSA Section 2) found for Seaorook. Thus, adjusting
.tne SSPSA rate downward to be consistent witn otner rates would not q influence the risk results.
.s e
Data comparisons could not be found for three components (d's 25, 27 I
- r -
and 28). However, none'of these appear to be significant in terms y of risk contribution. The containment spray nozzle plugging rate 1 R gi , (during operation) would have to be more than two orders of magnitude
; nigher in order to contribute to the spray system failure rate of
{ I
.j' 7.25E-4 (see SSPSA Section 7) for a 24-hour mission time. .i -
M
.a i
]j - Similarly, the probability of plugging of ventilation filters and m M louvers for the 24-hour mission time assumed for safety injection
.i ).3 systems which may have pumps enclosed in rooms requiring ventilation A
4
, (L ^
, 3.6-12 9
E s 4 p. I ai. , , . .e van * . ume g- - e me%ae p * *P -On + * **' - - LW N*B' N M***~f *88"**** I e
'~
o ;. is insignificant even if the SSPSA failure rates were substantially j increased.
~
j
- 6. pipe Rupture (Components 29 and 30) - Pipe failure rates used in the J
':; SSPSA are at the hign end of, but consistent with the range of rates i from other sources. .
.9 E;b i '
- 7. Diesel Generator (Component 32) - The SSPSA diesel generator failure h
.1
]
rite is quite consistent with other data sources (the Millstone 3 }, rate is clearly outside the range of tne other six data sources). 1 The diesel generator component has consistently been found to be a r:: risk significant element in PRA studies, and the SSPSA is no exception (see SSPSA Section 2). Wnile tne SSPSA random diesel lj generator failure rate is consistent with otner data sources, tne
.l coninon cause failure contribution assessed in tne SSPSA for the two , ; unit system was found to be significantly lower than other sources.
This apparent deficiency is explored in some detail jn the subsequent subsection (3.10.6) on coninon cause failures.
] '
] .
~
".N 8. Miscellaneous Electrical Components (Components 33 througn 58) ;- )q . Tnts group consists of a variety of 25 electrical components. Of tne-4 I] I 25, comparative failure rates for 20 were found, althougn in one 3;4 l case, a particular failure mode was unique to the SSPSA data base. i .
;,t . For transformers (Components 33, 34, and 35) the SSPSA rates appear D3 j reasonable. Althougn no comparative data could be found for
, instrument transformers (Component #35), the rate is comparaole witn
.'. the other transformers and thus appears reasonable.
1
,1
] .
3.6-13 c.,.. . .
._ . m _,-- - . . - -
,- s
t g L, l For circuit breakers (Components 36 and 37), the ratas c:qare
- favorably except for the " transfer open during operatiend f ailure j .s mode for less than 480V breakers. In this case, the 33PSA rata s'
appears significantly lower than the others. However, tnis failure mode has not been found risk significant in other PRAs, and the
.y:
- d difference appears to be of no significant consequence.
i .
;- The bistable rate is consistant fcr failure to operate on demand. No 7j s .
O comparison was found for " spurious operation",.but this bistacle a . failure mode has.not been found significant in other PRAs, and the fi fl ; failure rate does not seem unreasonaole. 5 . The next four components (39 tnrougn 42) appear to have failure rates t
'l consistent with alternate data sources. Component #43 (Power Supply) has no comparative rate bui; is comparable to the rate for motor
,. generator (#42), wnich is also a power supply. The rate arcears
~
reasonable. _ s 9 LJ Components 44, 45 and 46 appear consistent with alternate data. The ]j emergency power sequencer (#47) nas no data for comparison. This tj ,
~
i?s r.
; comoonent sequences electrical loads onto the emergency ac power q;
g l buses fed by the diesel generators. The dominant failure mode for 1 the emergency power system has been found consistently to be failure t3 ,
;4 .
1
.of the diesel generators (see following subsection), with rates d !
typically around 2E-3/d. Thus, the emergency power sequencer failure
$ l Q rate is insignificant compared to diesel failures by some three
( l
- orders of magnitude.
4 l e
~
3.5-14 1 ' (J I 4 I l i
- 5 .
l .' *4 l-
- i
. ., , . , . _, g ... ,. _ ,. _ . . . . . ~ . . . . . , .
l
. . . . . - . . __.,,9, eg ' , . l
---y+ -
- - - --, o g,--- -w,, w
.-.. . .. ~ . . ., . . . . ~
. w :n .
l The next two components (#'s 48 and 49) have no data comparisons. l
.i
! However, the rates are equivalent to similar types of electrical
- 7 u
j components (transformers, transmitters) and thus appear reasonable.
.lj '
i j ; Components 50 througn 54 all have data comparisons and appear
.g I cl reasonable except #52 (pressure transmitter). In this case, tne d- I SSPSA rate seems low compared to the other values. However, this o
i failure (during operation) should be detectable, and no instance is
.g 'j n i known wnere the failure is risk significant. This instrument does e .
() .
. appear, however as a contributor to failure for several systems as h i ij -
indicated in Section 3.6.2 following. Its significance is evaluated 9' T : in that section. Component #55 (trip logic module) nas no data for comparison. However, the rates are comparaole to other electrical components. Further, failure to trip is probably only igortant with respect to reactor scram. For this event, the reactor trip breaker (#58) nas a
,] l* such higher failure probability (by a factor of 50). The trip logic m
module failure rate is thus considered acceptable in the context of [ influencing the overall risk result. + ., s 1 The de power supply components (#'s 56 & 57) have significantly higner failure rates in the SSPSA than comparable data from other
.o g j j sources. However, these failures do not appear in any dominant
-3 i accident sequences (see SSPSA Section 2). Thus, a reduction in these y; rates would not influence the study results.
- lj
.I 4
- i. ; (. 3.6-15
,1 t l I. t s l
, 8_ _._ _.
. . . . _ . _ . , . . ~ - _ . . . . . . , . _ ~ ...-. .. . - . .
,, _ . ,7. , , ,.;7..--.
[
.o .* r"*.j,e
.p,s;*,. ,
The final two components (#'s 58 and 60)(1) nave failure rates consistent with other data. Tne fourth column of Table 3.6-1 provides a ratio of the Mean and Median values used in tne SSPSA. As indicated previously, this ratio provides a
~
measure of the skewness of the distribution assumed for each component. l Generally, a nigner ratio inplies a larger uncertainty (broader uncertainty .] bands) in the presumed distribution. In most cases the mean/ median ratio ranges from 1.2 to 3.2. However, in five cases the ratio is significantly
. larger, ranging from S.4 (disc rupture of a motor-operated or check valve,
.g j #31) up to 13.2 (spurious operation of bistacle, #38). The basis for enese larger values (as well as all other values) could not be determined since tneir derivation is not provided in the SSPSA and is apparently based on proprietary data. Furtner, in the case of two components, valve disc rupture
- (#3,1) and ' spurious bistable operation (#38), no alternate da'ta sources were found. For the remaining tnree (pipe ruptures and single control rod
,s failures, (#'s 29, 30 and 60), the comparative data do not support the large .
i ' mean to median ratios. This is illustrated in Table 3.5-2 wnich lists the enree components from the SSPSA with high mean to median ratios for wnica ] b ; other comparative data exist. The table also lists two additional components
- u. .
ij -i from Table 3.6-1 which have low SSPSA mean to median ratios, bu't very wide 'll t j ranges from comparative data sources. Table 3.6-2 lists the SSPSA mean to
,j l median ratios (second column) and the nign and low values from other data j i
- - t s1 -
(1) SSPSA Table 6.2-1 nad #59 missing. .,.q 1 c 3.6-16 i ~. '.s' I
. ,p , , ,- - , . . - - - ~ . - - - - .- .- .- . . - . - - ,
. ! .+
n . . . i
, l sources (third and fourth columns). The fifth column lists the number of i
. e comparative data sources from wnien the range was obtained. (These sources l
,, are listed in Table 3.6-1). The final column provides a range factor wpicn is
.)
}
1
' " ~
simply tne ratio of the extremes shown in the third and fourth columns. l] .p Table 3.6-2 . COMPARISON OF SSPSA MEAN TO MEDIAN RATIO WITH OTHER DATA M i 1 : l 55P5A Range from otner cata Range 0] : Component Mean/ Median t.ow i j High Number Factor M .
? l '!, i Single Control Rod 5.5 IE-4 4.6E-5 2 2.2 h' Pipe Rupture, < 3" 9. IE-9 8.6E-9 5 -
8.6 I Pipe Rupture, > 3" 9. 4.56E-11 8.5E-10 5 20. [ Bus Failure 1.5 lE-8 3E-5 4 3000. ' Relay Failure 2.2 4E-6 IE-3 5 250. p r, l, V 'j Table 3.6-2 illustrates that tne.SSPSA mean to median ratios are not
; consistent with the ranges (uncertainties) from other data sources. For example, the range from comparative data for one of'tne hignest SSPSA mean to h
- median ratios (9 for pipe rupture 1 3") is a very modest 8.6, while one of tne r .;
d 5 lowest SSPSA mean to median ratios (i.5) is for bus failure whicn has an
? :
extremely large range factor (3000). Similarly, tne low mean to median ratio h
- for relay failures is not supported by the high range factor (250) from y < comparative data. Further, the same mean/ median ratio for botn sizes of pipe
? rupture is inconsistent with the different range factors for these ruptures.
d , d . .l,
^
3.6-17 V
* **'*' *~~ * ' * ~ ' ' ' ~'" ~ * " ' **'
S e e- = -mew w . we m .te e.e -
- e., =-'
- 9 * *** * *
,+g, . ,w *symme. % -
= _ - - - - .
1 .
. ,, n. 2 .
] ]
- It is difficult to draw any conclusions from this overview of the SSPSA mean ;
l to median ratios. The distributions associated with these ratios can be i j important in estimating risk uncertainties (see Section 5.2). It can be j j l} concluded that the SSPSA mean to median ratios do not seem consistent with the
.j t ' .1 - i ranges from other data sources and that it is not obvious why the ratios are 4
y significantly larger for the identified five components. However, the a y ; validity of the SSPSA mean to median ratios cannot be established without
;t f reviewing the basis for their derivation (not included'in the SSPSA documentation).
i I.
?-:
3.6.2 SYSTEM FAILURE PROBABILITIES is t This subsection presents the results of a review of the "frontline" and
" auxiliary" systems failure probabilities as assessed in the SSPSA. These probability assessments are summarized in SSPSA Section 7 (Systems Analysis),
and details are provided in SSP'SA Appendix 0. A total of 6 frontline systems _) and 6 auxiliary systems were considered in the SSPSA. However, in two cases T seve*al subsystems of a main system were considered separately, bringing the
.I , I total nunner of individual systems quantified to 17. Two of the systems.
containment spray and containment isolation were not considered because
& containment behavior during the severe accidents analyzed in the SSPSA was j M ;
d j excluded from the scope of this review. i$ i. H The scope of the review was limited to cogaring the system failure and unavailability probabilities to other assessments for similar systems, .] I attegting to assess the reasons for and .a ..nificance of differences found, n jj and review of system unavailability quantification as assessed in Appendix 0 "4 . 3 ') f .1 (-) 3.6-18 'j v 2 : i:.
- h.f '
1 .
.__..m.____ .
l
.....u.-.:......
.i
~
. of tne SSPSA. Resources were not available for. examining the large nuccer of fault trees utilized in the SSPSA for quantification of system failure, nor j
; was it possible to systematically evaluate plant drawings to assure that the J fault tree logic accurately represents the plant configuration. However, the 7j SSPSA systems analyses nave been evaluated separately as part of the review, and the results are given in Section 3.4 of this report.
$ To accomplish the comparison of system failure probabilities, several d
O j independent sources were selected. These inclu'ded WASH-1400(3) , tne Secuoyan it i 9 - RSSMAP study (17) , the Zion PRA(7) , and the Millstone Unit 3 PRA(3) . All of
! ; these sources represent risk assessment studies for plants in wnien the p$ ,
nuclear steam supply system was supplied by Westinghouse. They represent a h rather broad spectrum of comoinations of sponsoring and performing l;i ' ' j organizations. The first two were sponsored by the NRC and performed by government contractors. The WASH-1400 study represents the earliest PRA
^
r evaluation, and Sequoyah one of the more recent. The last two are PRAs sponsored by utilities and performed by private contractors. The Zion PRA was ~
; ; performed by Pickard, Lowe, and Garrick, the same firm which performed the j
(~j ; SSPSA. The MP-3 PRA was performed by Westingnouse. 3 i s W4 L:d d u- a j In addition to tne four PRAs utilized in the comparison, several additonal N i sources were utilized in wnica failure probabilities for the individual fl '] .
- 2
[i systems were evaluated. gj ; It was recognized that differences exist among the four plar.ts and tneir M. individual systets designs for which PRAs were used in the comparisons. For 3 hy ; example, the Sequoyan plant employs an ice condenser containment wnile the 9: ! ather three PRA plants nave large dry containments. Also, tne Surry plant
.i 3.6-19
.i v l
'..;..__._. . . ~ . m - - - . ... .- .--. - - - - - - .-
i- -
- j. ;
, I !
4
' used in the WASH-1400 evaluation has three primary coolant loops while the
. I t others employ four loops. An attempt was made to account for the effect of i.
.' these and other differences in performing the comparisons.
a f The procedure used in the comparative evaluation was as follows: M
- 1 .
[j , ,; System failure data were c:mpiled from the various sources and 1.
'I j segregated to be compatible with the systems breakdown employed in ;h .g ; ,
O the SSPSA. f 1 i
>:.. 3 'i I 2. The fatiure rates were compared, and those SSPSA rates which seemed 1 ,
to be significantly outs'ide t:e range (either higher or lower) were identified.
- 3. For those systems idcntified in Step 2 preceding, a cneck was made
- I
. ,3 using the dominant accident sequences identified intne SSPSA to V determine if changing the SSPSA system failure probability to be
.j -
consistent with other data would influence (eitner increase or l! , i decrease) the core melt probability or early fatality risk. u !. K 'D _f 4 ; 4. For those system failure probacility enanges identified in Step 3 1-4 '3f h i whicn influenced the SSPSA results, an evaluation was undertaken to .g j r 5.!
, .i determine if the reasons for and validity of the SSPSA rate could be
-i
-l
$.d ! established.. If errors were found, or if the SSPSA rate could not be $ .i verified, a requantification of the SSPSA dominant accident sequences e i j j was undertaken employing a system failure rate judged to be more [? appropriate based on rates from alternate data sources, t .<
<j
!- } ,1 3.6-20 i d v I * (.
- i. ,; _
j '?
=,,g apassesse w *a **--***r= e4W 4 9 W * *"> m - ,9**-- 9"-- - - - ' ' * ' - * * * ~ I-
- f* *W - -
1 1 1
- 5. A review of system unavailabilities as presented in Appendix 0 of the l i 3 SSPSA was performed for selected systems.
)
y f It should be emphasized that none of the alternate data sources are 3
-; considered, a priori, to be more valid for any particular system than the i .1 SSPSA results. The purpose of the comparison was to identify apparent 3 i y " outliers" in the SSPSA system failure quantification for further evaluation.
A : . ..t ;
'I t <f ;
fd I Tanle 3.6-3.provides the results of the system, failure probability comparisons i ,j for the support systems as identified in the SSPSA. It was found that an inconsistent and irgrecise definition of failure existed in the ' data sources
!, (including the SSPSA). Frequently, the mission time for the system was not I specified, in which case the failure was assumed to be per demand. In other cases, the mission times are not consistent among the studies. However, for
,r s short mission times, the demand rate is generally equ'ivalent to the. risission
; rate. Further, for systems wnich must start from a non-operating condition, the failure rate is usually dominated by start failure of active components.
Thus, for these cases, the mission time is usually not important. These
; considerations are evaluated further in specific cases. ~.
O
- j *
.A R j A 1 4 ~
? r +1.
- h. !'
Ms
- )
G 1 3.5-21 l J
.. I 9
-1
; . ~ . . . , . . . ._._....-,___....y.- ... _ . _ . . _ .._. -... . -
~
~
- 1 l Each of the eight systems listed in the first column of Table 3.5-3 will be l
, g considered separately, as follows: * ,l i 1
i m
~
')
. 3.6.2.1 El.ECTRIC POWER
)
- i The ac and de power systems were considered separately in the SSPSA, and
? :
4 l j separate entries are provided in Table 3.6-3. The ac power system consists of c the emergency diesel generators and associated hardware necessary for ! l
. g providing ac power to the emergency buses. The de system consists of station
's batteries and associated hardware. The two systems will be considered separately.
.)
l 3.6.2.1.1 AC POWER -
.i
- j. ,
i i The emergency ac power system has consistently been found in PRA studies to be I q one of the most risk significant systems at. nuclear power plants. J Accordin'ly, g a rather extensive survey of various sources of system failure rates was undertaken, resulting in the seven data comparisons shown in Table 3.6-3. The SSPSA' rate (for 24 nours) is at the high end of the failure h probability range. Only the WASH-1400 rate (per demand) is higher. However, if , ya the WASH-1400 rate is based d the assumption that no load sequencer exists at i tne Surry plant. It was, therefore, assumed that both diesels would fail from
}]i j
] the same cause (failure to as'sume full load). The Seabrook plant has a load J sequencer. Thus, the WASH-1400 rate is not directly applicable for
.,1 i Seabrook. Comparing the remaining rates, the SSPSA value is within a factor
,' :.1',g i j of 5 of all rates in the "other" column (except for the low end of the range o} '
.f I from Ref.11). Furthermore, all rates for ac power in Table 3.5-3 are for
'1 . l ~;. i 3.6-22
~
/'
, V .
A ; t n . .n .. . ..,, .~ ~~. ..
.- , ,yna3p -,.-.r~--~:.~~.~--r~+~~~~- r~ ~ < ~
.........~...J..:A
wl %.;6Id.d.Eu"' - ' A%% " * ' -- - -
mMr usE ' 'wG :.a n . .'-.- .: 2;.. . . . . .- . . .. , .. s I
; i ! l O. (.) O -
1 4
! .i .
i 1 .
. Table 3.5-3
( ) designates footnote
~, ( ) designates reference decimentatloa
, E0MPAal50m 0F SUPPORI SV5IIM FAltuRE SAIE5 1
- system >>ran unsu-secut a sequoyantlij sioatsj w-as; utIEr I. Electric Power j 'ACIII 7.7E-3/24 hr IE-2/d IE-3/d 6.3E-4I8)/6hr 4.6M-4/d 1.5&-3(9)(10) ,
. 'j '- IIII/d j il.lf-3II)6.ef-3
.eE-3t /d i DCI 4.69E-7/24 hr IE-6lII/2hrlill 6.lf-6(le)[II]jg ,
I
- 2. Service Water 2.3M-4(12 /24 hr. 2.2E-8/24 hr. 7.44E-6/24hr2.7E-5/yrIli) 1 6.4M-6tl3}/24 hr.
1
] .aa 3. Primary Component 1.64E-6/24 hr. 2.7E-8/24 hr.
! cn Coollag Water e
i U 4 Instrument Air 3.07E-4/24 hr.
- 6. Reactor Irlp 6.6M-4/d 3.6E-6/d 2.98E-5I4Id
/ 1.sE-4/d 3.0E-5/d a
! 6. Solid State Protection 2.92E-6III /d
]!
J. Englaeered Safety 6.X-5(2)/d 2.7E-6ISI/d 4 I.M-5gl l.M-4 /d
, 8. Containment factesures
'e Air Handtlag:
> I Cooling I.89E-5/24 hr.
- Air Cleanlag. 3.19E-6/24 hr. SE-4I3I/4 me.
,1 i
[onditional prenansistles given loss er errsite power .ul >ystem nas r diesel generators plus swing unit
! i 2 for treasient faltiating events 1 9) One of two diesel generators failure to start air-cooled i 3 1 Emergency gas treatment air cleanup systee 1 10) for a system which meets slaisua hhC requirements (4 I lacludes only red drop failure and test and malatensace contributions I
l18) Actual alssles alas not specified . 2 hours is assumed based ua
?
5 t Safety lajection discussten la aeference 17 6' l Containment spray (12) With safety lajectica (5) signal (7) ha ac available ' . (13) Without safety lajectica (5) signal i 1 1 i t a . l.
M : .
" demand" or for times less than the 24-hour mission time assumed in the
~j ; SSPSA. The failure to run contribution from the SSPSA (Section 7.2) for the 4
.{ j ,3, 24-hour interval was found to be a siga.ificar:t failure contributor. Thus, the
~#
'! SSPSA cate for emergency ac power failure is considered valid except for the 34
- } comon cause contribution.
A. g In assessing the comon cause contribution to diesel failures, the SSPSA used
'l beta factors of 0.0133 for failure to start and 0.0325 for failure to run. As 7
~j-
- discussed in Section 3.10.6', these factors are quite low compared to alternate m ,
<.] , data sources and the generic beta factor. To assess the significance of tnis I difference, the diesel generator failure probability was requantified using ]A d tne SSPSA generic beta f actor of 0.125. This resulted in a slight increase 2'
- y. ! (less than a factor of 2) in the failure probability of emergency AC power wnich would not have a significant effect on tne SSPSA results.
l- ,s - 3.6.2.1.2 DC POWER
- b. , ._ .
The 'SSPSA assessment of de power failure is significantly below the other data sources. In examining tne derivation of the result as presented in SSPSA . l Section 7.2 and Appendix 0 (Section 0.2), no apparent reason could be found i f for the low failure rate. However, the information presented is not il congsrehensive enough to trace the origin of tne failure contributions and p] . 1 9 ; evaluate their validity. It appears that the failure probability is dominated d V by independent hardware failures (as indicated by SSPSA Taole 7.2-1). The
.] <;j most likely hardware failure is expected to be failure of tine battery itself,
$a 1 which is assigned a value of 4.84E-4/d and 7.53E-7/h in the SSPSA as indicated v l in Table 3.6-1. For a 24-hour period; the two train de power system f ailure 11 I4*
, 3.6-24
'. .i; v
't i .
. ,y. -.,cm ~. w-. m-m.~.-s~- ,- - - - - -
- -~- m ---- - - - - - - ~ ~ ~
. __* 2 -
pr0cability would be, assuming independent failures of batteries only: 1
,, (4.84E-4) (4.84E-4) = 2.34-7 (24) (7.53E-7) (24) (7.53E-7) 3.24E-10 Total 2.34E-7
.] - This result is quite close to the Table 3.6-3 SSPSA result. However, this
). i i
simple assessment ignores conson cause contributions, wnich were apparently
..M =d 1 also not considered in the SSPSA since SSPSA Table 7.2-1 does not have an M i .E i - entry for the comon cause column, and SSPSA Appendix 0 (Section 0.2) does not '!l
- I consider a comon cause contribution. There is no known reason why battery
[:1
, .j g failures should be exempt from comon cause failures. Reference 11, for \ exagle, concludes that comon cause failures dominate system unreliability. .
The SSPSA uses the B-factor approach to assess comon cause contributions for other systems (see Section 3.10 following) and provides a tanle of B-factors (SSPSA Table 6.3-2) for various components. No factor is provided for j batteries, but a " generic component" factor of 0.125 is provjded, and arguments are given in SSPSA Section 6.3 to support this value. It is also
! consistent with ~the WASH-1400 estimate of 0.1 as a B-factor for generic s1 If application. Employing a B-factor of 0.125 for comon cause battery fatlures 6
- h. l yields a failure rate of (0.125) (4.84E-4) = 6.lE-5 for a two-train system.
q;t 2, (The failure to operate contribution for the' 24-hour period would be e !
}.f -
negligible if the same approach is used.) This failure rate is consistent p.; d with the value in the "Other" column of Table 3.6-3 from Reference 11. e. .D$l However, according to the Reference 11 assessment, the 6.1E-5/d value is for a
- system which meets minimum NRC requirements. It is estimated in Reference 11 i.
7 that improved surveillance, maintenance, and testing could improve the
- a 9 ,
3.6-25
. . .? \_,i
..g.
e W- k .e.g - WS .g W emse W 6Q - y% % 9 *S W M M@ @ WW . , , _ ,% O - "- T'
~ - . _ .. . . - < . ,--, ,,,m . - , .
. .. . . : . .: . .a -
'i reliability of the de power system by -1s :uen as a factor of 20, bringing tne
. faf*ure rate down to 3E-6. It is not known to what extent these improvements 3 might be employed at the Seabrook station. It is expected tnat some of them
- j '
would likely be implemented due to tne recent emphasis wnica has been placed on de reliability. On balance, it seems reasonable to conclude that the SSPSA de power system failure rate is probably in tne range of IE-5. 1 a,
.. i 7 An attempt was made to quantify the influence of tnis revised de power failure j rate on the SSPSA core melt probability. The rate is only applicable
? :
; : (conditional) following loss of offsite power, assa'ssed at 0.135/yr per SSPSA g 1
') ', Table 6.6-2. If no credit is given for recovery of offsite power during the
'1- to 2-hour time period in which an irreversible core melt is expected to y>
ensue, and fartner assuming emergency feedwater cannot operate witnout dc power, the core melt probability for the sequence loss of offsite power I followed by loss of de is: m, 0.135)(lE-5) = 1.35E-6/yr. - This conservative result is more than two orders of magnitude lower than the y , total SSPSA core melt probability of 2.3E-4/yr (SSPSA Section 2.1). Thus, the
-l proposed revision to tne de power loss probability would not impact the total i ;d q ; CMP for tne Seabrook plant.
.1 ' 8 "i .i L - 3.6.2.2 SERVICE WATER
;l :
0 -
~
The SSPSA failure rate for the service water system following an accident h; initiating event assuming a 24-hour mission time is provided in Taole 3.6.3. 14
.i '
3.6-25 1 j L a 1 1
- .:.. n. , . ,.
- , . _ _ . . . , - _ - - . . - - . - . - . . . . . _ . . - . - - _ _ . . _ _ _ _ _ . . - . - . . _ . - , - - . . - - . ~ . - - - - ~ . - - - . - - ~ . - . - . . - . . .
~. . - ..= , n. . .
Two values are snown, 2.32E-4 for the case when an 5 signal (safety injection 1 signal following a LOCA) is present, and 6.43E-6(1) wnen the S signal is not
. s present (non-LOCA initiating event). The rate of 6.43E-6 is reasonably
, .J' consistent with other rates in the table altnough somewnat nigner than most U (the Oconee rate would be equivalent to 7E-8/24nr). The rate with a safety N injection signal present, on the other hand, is clearly mucn larger than any
.1 j , other value in trie table. In view of these differences, a detailed review of
.j i
-1 the SWS failure assessment as provided in SSPSA Appendix 0 (Section 0.3) was M undertaken.
d In reviewing the Appendix 0 SWS failure assessment, it was found that the ]i14 . y reason for the much nigner SWS . failure probability for the case of an S signal
?)! present was due to the assumption that failure of two valve closures which ., isolate tne SWS from secondary component cooling (SCC) would fail tne SWS t
function. This failure mode dominatas the SWS failure. These valves are automatically closed upon ' generation of an S signal to maximize SWS flow to
~
1 components critical to successful recovery from a LOCA. Given this assumption, tne SSPSA quantification of SWS failure for an S signal present
,, appears valid based on valve failure rates and conunon cause contributions (B-
$;.4 factoes) used in the SSPSA. m l'.% 2 w , 3 a i (1) This value is from SSPSA Table 1.3-10 and is not consistent with the
!! incorrect rate shown in SSPSA Table 7.3-1.
h. 8, M L: 4
~
[1 3.6-27 v ] . L1 M i o _ , z. -
, i
, j
! For the case of no S signal present (i.e., initiating events other than LOCAs), several apparent deficiencies were found in the SSPSA analysis, and
't requantification was undertaken. The major deficiencies were:
O #
.i
.,! 1. It was assumed in the SSPSA that fans and dampers in the pumphouse
'l j switengear and pumphouse buildings would be in a non-operating status
] -
,j
. i
, at the onset of the initiating event. Actually, these systems would be normally operating to supply necessary cooling and ventilation for j:a l
! the SWS components. In tact, according to SSPSA pages 0.3-13 and 14, 8 } a pre-operational status is assumed.
E I Ki i
.s ; ]:.4 ; 2. It was assumed that coninon cause failures affecting ventilating fans 11 . and dampers would be negligible. The basis for this assumption does y .
i not appear valid. Part of the basis is apparently derived from the SSPSA g'round rule (Pg. 0.3-37) that passive devices are assumed to
? 3 nave negligible coninon cause failure potential. This assumption.is
~. questionable for some cases as discussed in Section 3.10. -
l > t ; j
- 3. The failure rate contribution for the pumpnouse ventilation failure
+
k f appears improperly quantified wnen using the SSPSA failure rates for .i3 ~l back draft dampers (SSPSA Table 6.2-1). The revised failure
.9 '
73 I contribution is about 6 times greater. 3 i 1 ,j t The SWS failure probability was requantifta using revisions wnica eliminated j . the three apparently deficient assumptions. Only failure to continue h operating contributions were considered for the SWS pumphouse fans and !g dagers, consson cause contributions were considered for fans and dampers using !k 3.6-23 e=.96*d'".9 ' * = *
- @QF S,N *.g98'. ,, - "M* N8 , -M Np - -r- U #' Y " 'I "' e
i , , a B-factor of 0.1, and.the errors in the pumpnouse ventilation failure
; probability were corrected. The requantification produced an SWS failure probability of 6E-5/24 nrs compared with the SSPSA result of 6.43E-6/24 nrs.
a - However, the Seabrook plant design includes a cooling tower system (CTS) which automatically is actuated upon low discharge from the main SWS. The CTS I. . provides the cooling function normally supplied by the SWS. The SSPSA failure f rate for the CTS is 2.46E-3/24 nr (SSPSA Table 0.3-10). This quantification N): ; was reviewed, and it appears reasonable. Thus, tne probaoility of loss of
.. service water function, as requantified herein, would be (SE-5) (2.46E-3) =
1.5E-7 This rate is not a significant contributor to core melt probability D j when coupled with initiating event (non-LOCA) frequencies. However, it would raise tne SWS failure as an initiating event by about a factor of 10 over the 1 SSPSA rate to 5.4E-5/yr. However, this rate would not be expected to maka a l !:. significant contribution to the overall SSPSA core melt probability,
,__ especially if tne CTS backup is considered. -
V - A special case of SWS failure does appear as a dominant sequence in the SSPSA. This sequence is loss of offsite power followed by SWS failure. The i il p , SWS failure probability for this case was reviewed (as provided in SSPSA + i I
. Section 0.3) and found to be reasonable.
- c. :-
p j It is of interest to nota that Section 0.3.2.4 of the SSPSA discusses i~ j nistorical nuclear power experienca and concludes that a review of tne publication Nuclear Power Experience indicates no instances of systems design
. failure experienced. It is further concluded that instances of actual coninon q
cause failure of service water systems in the publication. Section 0.3.5.5 { i] 3.6-29 y
-.-=..--==..-..;'^
.,A., = - - . - - -- -m-.--- ~- = - .
- l. . . -
s . . ; c. also concludes tnat no "true' comon cause failures have be:n reportec. However, according to Reference 13, a service water system failure did occur at the Brunswick plant, and eignt additional instances were found where connoa
' ~~
cause failures could have occurred, including two cases of strainer plugging 1
. and six cases involving buildup of oyster shells, barnacles, and asian clams 3 -l 3.6.2.3 PRIMARY COMPONENT COOLING WATER -
.] 1 ' A i As snown in Table 3.6-3, only one alternate failure rate for PCC could be j found (Zion), and tnis value is significantly less than ene SSPSA. Because of
- t tais disagreement and also because PCC failure is an important element in
.[
f- several dominant accident sequences following initiating events (per SSPSA 21 Table 2.3-5), an in-depth review was undertaken of tne SSPSA PCC failure
]
probability as presented in SSPSA Section 0.4. In reviewing tne PCC failure quantification, numerous apparent discrepancies were found, as follows: g!
- 1. Numerical errors - The overall results presented in SSPSA Taeles 0.4-10 and 0.4-11 cannot be obtained by using the total values for the blocks in Table 0.4'-7 in conjunction with the equations on pages 0.4-
% 13 and 14 as well as 0.4-17. In reviewing this discrepancy, it was
- H d -j found that tne totals for the blocks in Table 0.4-7 were incorrectly a,
.4 sunned based on the values given for the individual component failure 3
rates. By correcting the sums, the results become reasonaoly %~
]3 consistent.
l .9 !.: .4 f.) 2. Valve failure mode - It is not apparent why the failure mode " Fail to transfer to the failed (closed) position" (2.66E-4/d) was used in 'S
! 3.6-30
- p. ]
u
,.w .. - + . . , -....g. ...g.f..- . ..p. _ ., .
.,-e - . _ 7.o.-=...-s--e.-- - . + . . ~ .
. .. ...- u z+ i. , .
.j . . s . * , . s SSPSA Table 0.4-7 for the valves wnich isolate nonessential cooling a loads inside and outside containment for those cases in whicn offsite 1
power is retained. For LOOP cases, the secondary component cooling V (SCC) system wnich coo.ls the instrument air system will fail because ! i u it is isolated from the SWS tnus, (see Pg. 0.5-4). Thus , ai r j compressors would not be expected to operate for cases involving , 1
! LOOP. Failure of the isolation valves dominate PCC failure for the '. } . cases lA 1C, 2A, 23, 2C. (The Table 3.6-3 rate is for Case 1A, all
- q
., support systems available). These valves apparently transfer to a -9 .j bypass configuration upon a T or P signal (depending on the type of i
- s. initiating event), and it is not clear why a failure to operate on s
3 demand rate (wnich is about a factor of 6 nigner) was not used for M
}j the cases (including 1A) in wnica loss of offsite power does not l occur. However, the correct failure mode could not be estaDlished
- I with available information. Details o'n valve actuation logic, type of valve, etc, is required to further evaluate this issue.
!. . 3. Common cause PAH ventilation fans - For the cases of loss of offsite 4 l . power, the normal primary auxiliary building a.ir nandling (pAH) a <
system trips, and PCC system cooling is provided by a subsystem of j( , g ; tne PAH wnica is powered from onsite emergency power and must start A: J;. from a standby condition. The SSPSA assumed that failure of this l13 : system would fail the PCC. In quantifying the failure probacility of $jd I q . the PAH subsystem, the SSPSA assumed that connon cause failures of ventilation fans to start or run (1 out of 2 required) woulo be Lf] negli gible. The assumption was based on arguments tnat. (1) assuming 3s d failure of PAH (as well as no credit for repair) leads directly to n 3.6-31 } ~. _; l l ra (', D l-
- . - , , - , , - - - , . . . . - - - . . . - - - ..-J
" ~ '
. . . - _ l PCC failure is already conservative, (2) certain comen cause events such as fires, turbine missiles, etc "are explicitly recordec as
_, initiating events", (3) use of. "wnat is believed to be a
.$ conservatively Nign failure rate for ventilation fans" (4.34E-4/d,
.s
,4 7.89E-6/N), (4) examination of a "large fraction of the reported
.5 failures in U.S. nuclear experience (revealed tnat) no comen cause j failures involving HVAC fans other tnan fires have been identified".
21 In examining this issue, it was concluded that Argument 1 preceding a 4 is probably valid altnougn no information was found in :ne SSPSA or
- j. elsewnere wnica establisned the extent of tnis conservatism (time i
available, recovery options, etc). Argument 2 is not directly "l applicable to the situation being considered. The comon cause
'I failures of interest here are not external *snocks" wnica are l
considered for initiating events,_ but rather internal, component ,. ; . related failures which can occur when tae system is comanded to j
-l start. Argument 3 does not seem to be supported by failure data in .. i -
l SSPSA Table 6.2-1 (see Table 3.6-1 of this report). The ventilation i
- fan failure to start rate is one of the lowest of all active Jg components, lower than pumps, all active. valves, the cooling tower
.t ,
[;$ j fans, etc. The failure to run rate is also one of the lowest. The .d l last argument was not verified since readily available pertinent
'i :
M information could not be found.
$ i i
2:1 j,j . 1 ti , 3.6-32
] , v i
1 ee o.=e .- ee . - e me +w" * *
. -- . _...,...-..... --,~. - - . e q.-. .
-c. - - - - - - - * - - * - ' ***' " * '~~ * '***
. . _ - - , - - . - . _ - - _ _ _ _ - .~,-. _ . - . _ . . . _ _ - . - . . . - - - - -
- g. - . - ,
l On balance, it does not appear valid to ignore connon cause
! ventilation fan failures. In order to determine the influence of 3
. considering such failures, a requantification of tne PCC failure rate i
- O' was undertaken assuming a common cause failure rate for ventilation j '
!! fans. A B-factor of 0.1 was assumed (see Section 3.10 for a f discussion of tnis factor) and was applied to both start and run J
l failures (the run failure is the dominant contributor for a 24 nr mission time). Requantifying the results produced tne following 1 Ll change:
- i E.
SSPSA Revised
;O ,'
Case 18 (loss of offsite power, F 8.13E-5 all support systems available) i :( j This enange was found to have an insignificant influence on core melt
? .
probacility since tne PCC failure mode 13 does not appear in any dominant sequences, and the revised increase would not produce a
._.. dominant sequence even assuming the Case 13 element occurs in a
(.
~
sequence with a probability equal to the lowest of the dominant sequences. 4 Connon cause pumo failures - In quantifying common cause pump failures in tne PCC system, the SSPSA assumed a B-factor of 0.0365 a ; hj l for failure to start, and 0.0232 for failure to run. As discussed in s 4 j Section 3.10, these values are low compared to other pumps, alternate 1 i data, and the " generic" rate (0.125). The basis for these PCC pump M i j 8.-factors is apparently. proprietary. However, the values are %- ! considered questionable based on Section 3.10 arguments, and a
- s :
[.) i requantification was undertaken using a value of 0.1. Tnis raised J
- 1 Li i -
3.6-33 llI ' j e V l l7 l !l 1 i e
...e _ .
_z. .....w. . .~ ... . . . . . _ . , .. . , _ .- _ . . i
.. . - . . . - . . - . -..... --... . ... .. ... . . . . . .~~... ' . - - -.
tne common cause contribution as computed in the SSPSA (by use of the equation at tne bottom of 0.4-23) from 9.93E-9 to 2.2E-8. This
- increase does not change the overall PCC unavailability wnich is i
4 almost two orders of magnitude nigner from other causes. 1 d \ t' 3 j 5. Common cause valve failures - On SSPSA page 0.4-24, it is stated that "Possible connon cause failures of these components (motor and air
]
i operated valves) have a negligible contribution because, even after 1 .i
~i I postulating a generic beta factor, the failure rates are so low as to I
be negligible." This statement is incorrect in tnat valve failures i ! i ! (particularly air operated valves) dominate the failure probanility
.i of each PCC train.
.I
! i
}
! This can be readily seen by examining the values wnich go into the
.i .
failure logic equations on SSPSA page 0.4-13. For example, the
, . . failure logic equation for boundary condition lA is:
' i . PCC-1A = (A8 4 ) (A8 4 ) wnere (from Table 0.4-7): A = 8.21E-4
}
g
- s .
B = 3.74E-3 t
! C = 1.14E-3 (corrected sum, see item 1 preceding). ' . It is readily apparent that element C dominates the product since AB
<y ,,) l = 3.lE-6. Element C, which includes all failure possibilities (' -1 . i' external to the two parallel pump patns for eacn PCC train, is
- k dominated by MOV and ADV failures, with A0V failures making up over i.
90% of the 1.14E-3 rate for C. I. I 3.6-34 I ' l it t y
*......r-.,.,,.,
.g.,,,, . , .....-_,,/ , . . . , . . , . , . , , . ___ , , , _ _ _ _ .,y, , ,
NJ - __ . . _ -.. . --- - - - - -:- - - L --- - If a generic B-factor of 0.1 is assigned to air operated valves (l) , tnis is equivalent to the following failure statement:
. i I
.; given an air-operating valve in train A fails, there is a 107. cnance
. tnat the same valve in train B will fail from the same cause.
Requantifying under this assumption would produce a PCC failure
; probability for case 1A of 1.06E-4, some 70 times higher than the
! total from all causes in SSPSA Table 0.4-11. Cases 18 and 1C would
. 1
.( - . also have much higher failure probabilities under this assumptions. ? < i - a The .large increase in PCC failure probability suggested by this
- 9. . requantification presents a dilenna. It is not reconnended that i these requantified failure rates be adopted for recalculating the i
SSPSA core melt probaDility because several important factors wnich could influence the validity of such requantification remain
~
unknown. These f actors are: (1) Does failure of any single of the
! air-operated valves in question actually fail the PCC train? These
. valves.merely isolate nonessential heat loads from the PCC train and d
a
] do not directly interrupt PCC operation. It seems unlikely that <
failure to isolate one of the nonessential loads would prevent the
,4 i
f.i PCC train from providing adequate cooling 1 3 i. (1) Reference 18 estimates a B-factor of 0.2 for the air operated valve O
] failure mode " failure to open, close, or operate".
m
'. i N
- l. 3.6-35 e
'. - . . . . - .. . . . ,~.... .. - ,.- . - - - -- -- - ~ ~ - - - - - . - -
_ .e. . . = - - - .---
- to essential loads. However, insufficient information was found in the SSPSA to establish these failure criteria. (2) What is a realistic B-factor for the air-operated valve failure mode assumed in
* :ne SSPSA (failure to transfer to the failed position - see item 2 preceding)? (3) Is it likely that manual correction of failed A0Vs could be accomplished since it appears that even if eventual PCC l..
j train Failure would result from an A0V failure, substantial time
- 1 '
M would likely be available before it occurred? I i 'i The issue of PCC failure from A0V common cause is considered to ']
-4 remain an open item.
q.) 3 ?.i
} ,' 3.6.2.4 Instrument Air System This system, as described in SSPSA Section 0.5, supplies compressed air for
., pneumatic instruments and controls. The IAS is not a safety system in that its availantlity is not required to prevent core damage for any initiating i
event. Furthermore, failure of the system leads only to a loss of feedwater-y and closure of steam dump (to condenser) valves. Other valves supplied by the A system transtar to tne " safe" condition upon loss of air pressure. The , f*A feedwater loss frequency caused by loss of IAS is assumed to be included, 4 L,'] according to SSPSA Section 0.5, in the overall feedwater loss frequency. This appears to be a valid assumption. As shown in Table 3.6-3, no IAS failure
}
data were found to comoare with the SSPSA result. Thus, a review of the SSPSA i t.t M quantification was undertaken. V b n
; 3.6-36 s
e
. mum- - e = Juww esp aw ,=4 =
= e um , --,.e-e. .--e ,,= e, we + e . s.g e> m.4 m- -y w- *
- v - ,, -
%c. 7 w-- - . - - --- , - - . _ _ . - - - . , - . - -
T
, u . .
- - w Tne only apparent reason for considering the IAS is for tnose particular accident sequences wherein core cooling .tignt be restored by operation of the m secondary cooling system (i.e., restoration of feedwater and steam cump to tne condenser). In order to affect such restoration, the IAS must te operating in d
order to manipulate tne appropriate valves. f. Q , In examining the dominant accident sequences in SSPSA Taole 2.3-5, failure of y . Q ; the IAS does not appear in any sequence. For most important sequences (i.e., 4 t
-; ; loss of offsite power, LOCAs), the IAS is not even considered because it is
.q :
4.1 assumed to fail as a consequence of tne initiating event (loss of offsite 4 i]f power) or will not influence accident recovery (LOCAs). Inus except for the
.i < ,ii possibility enat the IAS failure probability could be significantly increased, 1,]
U the system will nave no influence on :ne SSPSA results. As a result of tnis
- t 3 evaluation, review of tne IAS was limited to a brief review of tne Section 0.5 i
quanti fication. No apparent deficiencies were found in tne SSPSA assessment. k: 3.6.2.5 Reactor Trio - s l4 ine reactor trip system (RTS) failure probability is considered in SSPSA
.1 .
'. q' , Section 0.5, whicn also includes the engineered safety features actuation
.;} > ;J) '
system and the solid state logic protection systems. Each of the three lj l i :. M ' systems is considered separately in Section 0.S, and eney will be considered ly in separate subsections of this review (see 3.6.2.6 and 3.6.2.7 following). ,d C d As indicated in Table 3.5-3, the RTS failure probability was assessed in ene SSPSA at 5.55E-4/ demand. This value is higner than any of the otner four
*:a ] results snown in tne taole, altnough it is only a f actor of 3 nigner than the l Zion assessment. However, as pointed out previously, the RTS failure appears l ,
3.6-37
*)
e er
. ..- ..-e . ..
. . . .r. ., . . . -.- - r . .. .
$. - - ,, W
~
[. - . . . - . . . . . in only one dominant sequence according to SSPSA Table 2.3-5. This sequence has a probability of 1.9E-6/yr, which is less than If. of the total CMP. (The
~^ sequence is also listed as naving a negligible contribution to risk). Thus, reducing the RTS probability to be consistent witn other values, if sucn a e,
reduction was found to be appropriate, would not have any significant
, influence on either core melt probability or risk. Conversely, an increase in RTS failure probability, considered unlikely in view of tne relatively hign El
- failure probability used in the SSPSA, would not appear 'to change tne CMP j
} results unless the increase was significant (greater tnan a factor of 10).
'j
. 2 This conclusion is based on tne fact that, according to SSPSA Taole 13.2-12,
~
i
]
a 1 reactor trip occurs in only 2 sequences of the top 40 contributing to core 3' melt. The total contribution from these two sequences is only 1.3*. of the total CMP. . 1 o (; As a result of tnis insensitivity of tne CMP and risk results to RTS failure O probability, a detailed review of the RTS failure probability as provided in SSPSA Section 0.6 was not performed. Ratner, a more general ~ examination was undertaken to identify any gross errors, unjustified assumptions, or invalid l analysis. This review did not result in finding any major problems, and the
)i SSPSA result is considered acceptable within the context of the preceding 9
d discussion. ,;n ' 3 q f The review did result in the identification of several apparently minor l-fi discrepancias, as follows: N l.
- 1. Reactor trip system success is defined on SSPSA pg. 0.6-2 and again i
. [.
on pg. 0.6-23 as no more than one control rod f ailing to insert into I l Y 3.6-38 9
. ~ . - .
l l _ _ , _ _ _ _ _ _ _ _ ,
. ... - . . . . . . ~ _ . . . . . .
One core uoan demand. Tnis criterion appears exceedingly conservative and is not consistent with the subsequent analysis. For example, on Pg. 0.5-22, under " assumptions", it is stated tnat "tne top event of interest for tne RTS is failure of two or more control I rods to insert ...", and on Pg. 0.5-35, the failure of all possible
;f combinations of two or more control rod assemolies is quantified.
j (The SSPSA apparently means control rod assembly wnen using only the j .j term control rod). No basis is provided to justify tne failure
$ ! assumption of either one, or two or more control rod assenclies
- i.
] i failing to insert. ]
y + 4 . j 2. On SSPSA pg. 0.6-22, tne failure of rods to insert are assumed to be due to either failures of drive mechanisms to release rods or failure 4 of trip breakers to open. It appears tnat an additional irmortant failure mechanism is failure to fully insert under gravitational r- influence given that the assemblies'are released. This failure mode
~
appears significant based on available data (12) . However, the SSPSA i control rod failure rate (3.26E-5/d) based on proprietary data is
! equivalent to tne LER(12) rate (4.6E-5/d, see Taole 3.6-1). It tnus appears that the SSPSA rate includes this mode of failure.
8 fj 3. On SSPSA pg. 0.6-23, it is stated that the relationsnip between RTS, j:. ESFAS, and SSPS is snown in Figure 0.6-1. However, no explanation is
'i.
.~( provided to aid in understanding the figure, and its intarpretation is ?j q difficult. 1
?! ' l. ,I 3.5-39 MN$M* , hMN8W.8#w" O' *WW d *@ O
- PY '$ O *I' &O '
1 1 3 ,
- ., .e
- 4. The result of this quantification of "all possible comoinations of two or l more rods failing to insert upon demand" is provided on SSPSA pg. 0.6-m 35. However, no details of the quantification are provided, and it does tO not appear possible to verify the result from the information given.
.4
} 5. The basis or justification for several RTS assumptions is not provided, including 30-minute testing interval for each RTS train (SSPSA pg. 0.6-4),
,i _ maintenance duration of 15 minutes (0.5-47) and infrequent trip breaker I
p maintenance (0.5-47). I ! 4
- 6. In quantifying coninon cause failure contributions for the RTS (SSPSA pg.
1 0.6-52), no consideration is provided for eitner failure of drive 1!
.} mecnanisms to release, cr failure of rod assenclies to insert, given t
j release. 4 i 4 - 3.6.2.6 Solid State Logic Protection System (SSPS) 1 No alternate failure rate could be found for the SSPS rate as indicated in Table 3.5-3., Failure af the SSPS does appear in one of the dominant accident ] , sequences as indicated in SSPSA Table 2.3-5. This sequence is identified as loss of main feedwater followed by SSPS' f ailure and is assigned a' core melt 3 probability of 8.3E-6, which is about 3.6% of the total CMP. Since tne SSPS J.- i does appear in a dominant sequence and since no alternate source was found for "O i failure rate comparison, a review of the SSPS quantification for this sytem
't was undertaken. The failure quantification is provided in SSPSA Section 0.6.
i UI L.I The SSPS monitors various plant parameters and provides actuation signals to R,
. .J the reactor trip system and the engineered safety features actuation system ,e when these parameters exceed certain limits, indicating the onset of accident l.
I l l V 3.6-40 l
?
l
..r-- - -
. . ..-r.....-- - ~ - -
conditions. Tne failure probability of the SSPS was evaluated in the SSPSA for six classes of accident initiating events including large/ medium LOCA, steam line break inside containment, small LOCA, steam generator tube rupture, steam line break outside containment, and transient. For all of these events, the failure probability of tne SSPS was estimated to be between 8.54E-7/d and 3.95E-4/d. When tnis rate is comoined with the initiating event frequences used in the SSPSA (see SSPSA Table 6.6-2), the resulting accident sequence probabilities are exceedingly low except for tne transient initiated events.
;! Except for the transient initiated sequences, the sequence probabilities would
- i
;! nave to be increased some three orders of magnitude to begin to contribute to
(.j core melt. As.a result of tnis determination, the SSPS failure probability
; assessment was give only a quick overview (except for the case of transient 1
't initiators) to determine if any discrepancies were obvious wnica could cause the very large increase in SSPS failure probability required to produce
- p. significant sequence probabilities. None were found. For the case of SSPS l
failure in conjunction with transient initiated accidents, the review was more detailed due to the increased potential for contribution to the core melt probability. l ^( . h;j The " unavailability expression" due to independent hardware contributions for s4 tne SSPS for the transient initiated case is given on SSPSA pg. 0.5-38 as:
- b
]. .; ! 'h
'i 4(PC)3 + INVE + PS2 + LC2 +2(LC)(PS) ;.t
, .i ,1
.1 j
'y l l Li 4 , 3.5-41 I' e e
. wwe w+ -
.~~;~~ee-t m , _ , mm , , _ - . * - - - - -
e e* o m ..-me ~
n-wnere PC = Failure to generate a signal wnich triggers tne SSPS. In this
. case the signal is low steam generator level (2 of 4 low low level j si gnals) .
- i
.. INV = Inverter train failure, which consists of power supply, instrunent 1
} bus, and circuit breakers.
I '
. 1 -; PS = Power supply failure i
l1
;, LC = Logic channel f ailure 1
1 f This unavailability expression appears valid. 1 Using the above expression and values derived for each of the elements, the (' SSPSA computes an unavailability of 8.5E-7/ demand for the SSPS. In reviewing
} ,
the component failure rates used to compute.the failure probability, the only i*
~ rate which appeared to be outside the range of alternate data sources was the power supply. In this case, the SSPSA used 5.33E-5/hr (see-SSPSA Table 0.5-5
.m hl and Pg. 0.5-36), while alternate data sources suggest a value of about 3E-6/hr 7.!
'g .. (see Table 3.6-1). Using this latter value would produce a significant reduction in the SSPS unavailability due to independent hardware contributions ' ]
as quantified by using the unavailability equation. However, as illustrated by SSPSA Table 0.6-6, the major contribution to SSPS failure is human error
- b. .
j] . (miscalibration), estimated at 2.07E-6 as quantified in SSPSA Section J, 0.6.3.2.2.2. This result contributes over 70% to the total SSPS l- ,1 l { , 3.5-42
.h
. . . . e- --
e- - ~ + = . - - ~ . , , * ** ~ ~***-~'s v. v ~~ ye-.--.. .. m y e -.o. . . . em _. ,. wm. . pow gw y
r
- .- . . . . . .. x
. .g;: -~, -_
unavailability. Thus, reducing the independent hardware contribution as a result of a reduction in the power supply failure probability would not have a
~
s significant impact on tne total SSPS unavailability estimate. j
')
The human error contribution to SSPS unavailability for transient initiated d sequences was reviewed As indicated previously, this contribution dominates the"SSPS unavailability. The estimate of the human error contribution, as 4 provided in SSPSA Section 0.6.3.2.2 was found to be reasonable, although large l
'1 uncertainties are obviously associated with the estimate (see also Section 3.5
)
,N of this report for a general assessment of human error considerations in the q-
! SSPSA). Two additional contributors, maintenance and comon cause, were also l .
considered in the SSPSA. The maintenance contribution was estimated to nave a very small cont'ribution (1.77E-9 per SSPSA Section 0.6.3.3.1.2), and tnis ,, )I result appears reasonable. However, the comon cause contribution appears
- , l invalid and incomplete.
n-v The SSPS consoon cause contribution is considered in SSPSA Section 0.6.3.4.
! Otner than external events, wnich are dismissed, only one paragraph is devoted
,;.;J , to the SSPS common cause contribution (Pg. 0.6-52). In this paragraph, only g the logic channels are considered, and it is stated that "...the failure rate
- g .
4 for a logic channel is so small that the common cause unavailability _,.3 , contribution is insignificant in comparison to the comon cause instrument e, , miscalibration contribution." This conclusion is not quantified and does not
. .i appear valid. The failure rate for logic channels is, according to Page 0.5- 'd 36, 8.52E-5 per demand. Using the " generic" beta factor (0.125 per SSPSA a
y Table 6.3'.2) since no value is given specifically for logic channels, produces 3 j; a contribution of 1.1E-5 for failure of botn logic cnannels. Tnis failure l ', 3.5-43
- l. ._.
l t
- - * - . = = ~ * = ~ ~ ~ * * *=- -
a- ~ ~ = + , _ ; _*.a== y symy=e== , - - - . . , o m.- - e. + + . swe, .. -y - _ --=.p,-*,- ==7--+e--r--=+-m...
~
. -R, ..
= .. . - - - .
elcment app;ars in tna " unavailability expression" considered earlier. Obviously, this result is not " insignificant" and would, in fact, dominate the
< SSPS unavailability, being almost four times larger tnan the current SSPS result. Furthermore, a similar common cause treatment for power supplies and inverters which are not considered in the SSPSA would increase the SSPS unavailability further.
In sumary, it is concluded tnat the SSPSA assessment of SSPS unavailability for transient initiators is deficient in that connon cause failures are not adequately treated. The deficiency could have an influence on the core melt probability. Requantification of the unavailability would require deriving appropriate B-factors or validating the use of tne " generic" values for redundant SSPS components required for transient events. Such a derivation is Deyond the scope of the review. In reviewing the SSPS unavailability. estimate as provided in the SSPSA, several problems in addition to the connon cause deficiency were found. All of these were assessed to not have a significant influence on the ingortant
~
resu'l ts. They are as follows: 9 4 l 1. For some initiators (e.g., large break LOCAs), tne SSPS actuation l relies on pressure sensors in the pressurizer. It was determined f pmviously in Section 3.6 that the SSPSA pressure sensor failure rate was optimistic compared to alternate data sources. However, raising the SSPSA pressure sensor failure rate (7.6E-6) by a factor of 10 to be consistent with other rates did not increase the probability of any accident sequences to a significant level. 3.5-44 .
- 2. On SSPSA pg. 0.6-48, the maintenance frequency is 2.93E-6/hr and is
! --. said to be based on tne logic channel failure probability. However, this probability is 2.7E-6/hr according to SSPSA pg. 0.6-36.
- 3. The basis for the probacility distribution used to describe various.
testing time intervals (equation on middle of SSPSA pg. 0.6-41) is not provided. 3.6.2.7 Encineered Safety Features Actuation System The ESFAS unavailability quantificantion is presented in SSPSA Section 0.6. The function of the ESFAS is to relay actuation signals to various engineered safety. systems to mitigate the effects of accident conditions. The ESFAS recaives an input signal from the SSPS (see Section 3.6.2.6 preceding) wnien causes the generation of tne actuation signals. A The unavailability estimate in the SSP 3A for the ESFAS is 6.3E-5/d. As shown in Table 3.6-3, this estimatr. is generally consistent with similar unavailanilities from alternate sources. Total ESFAS failure does not appear
- in any of the SSPSA dominant accident sequences, although failure of one (of I I two) train in conjunction with additional unrelated failures does appear in two sequences, the core melt probability contribution from each of enese sequences is less enan li, of the total. Thus, a reduction in ESFAS l unavailability would not influence the SSPSA results, and any increase in i
. I unavailability would have to be quite large () a factor of 10) to have an 1 : l influence on the total core melt probability. As a result of this l insensitivity oT the core melt probability to tne ESFAS unavailability, to the
/ 3.6-45 a
l
. . e core melt probability, the ESFAS review was not con:prehensive. Ratner, a screening was performed to determine if any discrepancies existed with the
.s potential for a large increase in unavailability. No sucn discrepancies were found from the review, and the ESFAS unavailaoility quantification appears reasonable. During the review, several minor discrepancies were found, as follows:
- 1. The ESFAS success criteria as described on SSPSA pg. 0.6-4 appear l quite conservative. Some of the actuation fu'nctions would not have any influence on the core melt probability, such as containment
. sprays, containment isolation, and main steam isolation.
- 2. The quantification of the unavailability expression for transient initiators (SSPSA Section 0.6.3.1.3.6) on Pg. 0.6-30 includes an intermediate step in which numerical quantities are substituted for-
- c. the alpha identifiers in the equation for ESFAS (TI). This step (which is not supplied for any of tne other quantifications) is incorrect in tnat only the first t'vo terms of the equation (wnica includes 5 terms) are listed. The result (1.89E-6), nowever, appears to be reasonable (use of mean values for all quantities yields SE-7).
I i l [ ; 3. On SSPSA pg. 0.6-54 it is stated that "For tne ESFAS, no single cause i !' L of failure dominates, with consnon cause failures and random failures contributing about equally." For transient initiated accidents, the i ;
; ; statement is incorrect. As can be seen from SSPSA Taole 0.5-6, hardware failures contribute only 3% to the total unavailability,
( wnile consnan cause failures contribute essentially all of tne l l [* ', 3.6-46 i l t I
' ' ~~
's 4.} s remainder.
- 3.6.2.8 Containment Enclosure Air Handling System The containment enclosure air handling system is described, and its unavailability quantified, in SSPSA Section 0.7. The system consists of two generally independent subsystens which are co'nsidered separately, the containment enclosure cooling system (CECS), and the containment enclosure emergency air cleaning system (CEEACS). The CECS provides pump room cooling for some important support systems, including charging, safety injection, residual heat removal, and containment spray. Thus, the system can'be an important support system for some accident ' sequences in wnica sustained operation of these safety system pumps is required to prevent core damage.
The CEEACS, on the other hand, performs no function related to the prevention of core damage accidents but rather acts to limit tne release of radioactivity during accident conditions. This review, therefore, concentrated on the CECS
' unavailability quantification. .
As indicated in Table 3.6-3, very little data on CECS or CEEACS unavailability could be found from alternate sources. The only other datum found was a failure rate for the Sequoyah air cleaning system. .This rate is quite , i comparable to tne Seabrook rate. (The Sequoyah rate is equivalent to 6.7E-I j 6/24 nr vs the Seabrook rate of 3.19E-6/24 nr). I i The loss of CECS does not appear in any of the 43 most dominant core melt sequences as listed in SSPSA Table 13.2-12, nor does it appear in any of tne 14 leading sequences contributing to latent fatality risk in SSPSA Table 2.3-5. Thus, a reduction in CECS unavailability would nave no effect on core 3.5-47
. a .. . .
e ' -
,___~
relt probability or latent risk, and any increase would have to be significant, (> a factor of 10) to impact the results. Thus, only discrepancies with the m potential for resulting in a large increase in CECS unavailability would have
~
any impact on the SSPSA results. Accordingly, tne CECS unavailaoility review was limited to a screening effort to find only these large potential problems. The review did not disclose any discrepancies in either the CECS or CEEACS unavailanility quantification as described in SSPSA Section 0.7 with the potential for a large increase. During the course of the review, however,
- several minor problems were encountered, as follows:
~
- 1. The success criteria on SSPSA pg. 0.7-1 include the provision that at least one train of the CECS must operate for 24 nours. This provision seems inconsistent with assumptions made regarding the requirements for ECCS pump room cooling supplied by CECS. For l example, Section 0.7 states that the charging pumps, safety injected pumps, and RHR pumps will not fail for at least six hours after loss of room cooling (see also expanded discussion of this assumption in Section 0.7 following), and mission times of from 1 to 24 hours (depending on the assumed accident and ECC system) are required.
i 2. It is stated on SSPSA pg. 0.7-10 that "No credit is taken for
; , operator action to recover failed equipment over the period of this analysis." However, on Pg. 0.7-18, credit is given for operators to diagnose a failed train and take action to actuate the standby
! train. Ft.rthermore, it appears that no human error contribution is
,)
'. 3.5-48
---- - , , - - < - . . , - , , - - - , - - - . , , . . .,-.-_,.___.,___,e _ _ , , , , , - , . . , , , . - - . , , . . _ , ,,,,.,,_,,-.,.,,,n.- , . _ , - . . , - _ . _ , ,
a l considered for this action. Two hours is said to be available for stancby train startup. However, Section 0.8 states ECCS pumps will operate for icnger than six hours, with no room ventialtion.
. 3. On SSPSA pg. 0.7-18, boundary conditions 28, 2C and 20 are identified
- as those states wherein one emergency bus and the other PCC train is 4
disabled. These appear to be incorrect based on the Table on Pg. 0.7-9 in conjunction with the discussion on Page 0.7-10. -
- 4. The operability states listed on SSPSA pg. 0.7-9 include T signal failures for trains A or 8 with opposite train failure from PCC trains (states G and H). However, these are not considered failed l.
states from tne assessment on Page 0.7-10. S. The common cause contribution from failure of tne operating train and 9 failure of the standby train to operate (given successful start) is i ~n ot considered, and no discussion is provided for tflis possibility. However, assuming a generic 8-factor of 0.125 for this case would increase the failure probability by only about a factor of 2. L 1 3.6.2.9 Emergency Core Cooling Systems ! j The emergency Core Cooling System reliabilities are considered in SSPSA
.I Section 0.8. The systems considered include the enemical volume control system (CVCS), safety injection system (SIS), accumulators, and residual heat
- removal system (RHR). These systems, in various combi.1ations, are used to provide core cooling for various accident conditions, including loss-of-l .
i coolant accidents, steam generator tube ruptures, and various transient { t .
~
l ! ( t 3.6-49 l
;v i
t i
{ - u . . ;,.u; - - _ t events.. i Tne emergency core cooling function can be conveniently divided into two f operating modes. These modes are (1) injection, wherein coolant is injected by the ECCS into the reactor coolant system from an external water supply, and (2) recirculation, in which coolant is supplied to the RCS from the containment sump. For each accident class considered, the SSPSA examines the
. injection and recirculation modes separately altaough there is obvious I dependence between the two since much of the same system hardware is needed l ; for both modes. The SSPSA considers four accident classes; large LOCA, medium j LOCA, small LOCA and transients, and ATWS. In each case except ATWS, the injection and recirculation ECCS failure probabilities are quantified separately. For ATWS, the recirculation mode of ECCS is not required.
i The SSPSA assessment of ECCS unavailability as provided in SSPSA Section 0.8
; is a lengthy, comprehensive and complex assessment which was found to be f3 confusing and difficult to review in detail. n order to concentrate the s 9, ,( review in thos,e areas wnich appeared to have the greatest potential for -1 changing the SSPSA results, an examination was undertaken of: (1) the .; significan~ce of the ECCS systems in terms of CMP and risk contribution, and (2) the unavailability results for the systems as compared to similar quantifications from alternate sources. From this exandnation, those ECC t
systens *nich have both a significant effect on risk and unavailabilities I which are not consistent with alternate evaluations are candidates for in-1
; depth review.
1 According to SSPSA Table 13.2-11, only small LOCAs (of tne three LOCA t categories) and transients are significant risk contributors. Neitner ATWS I
- 3.6-50 s
nor large and med9um LOCAs appear in the table which includes initiating
; events wnich contribute more than 0.8% to the total core melt probacility, f .
i Thus, core melt accident sequences involving large and medium LOCAs or ATWS followed by ECC failure are not contributors to the core melt probability, and the failure procability of ECC systems involved in these sequences would have to be raised by more than a factor of 10 before such sequences would begin t , contribute to CMP. Further, according to Table 2.3-5 of the SSPSA, no LOCA sequences are contributors to early or late. fatality risks. i f
,j
. SSPSA Table 2.3-5 indicates that the three small break LOCA sequences wnich c' ontribute to core melt involve failure of the RHR system. In one case, failure of tne total P.HR system is included, and in the other two cases, one i RHR train c,oupled witn failure of the actuation system to start the alternate
, train is the failure mode. i e L; Examination of Table 3.5-4 of this report reveals that the ECC system failure ,
.: rates as quantified in the SSPSA for- the seven combinations of accident
, initiators are generally consistent witn the results of alternate evaluations
! except for large LOCA recirculation and small LOCA injection. For ATWS no
, comparison could be found, and for medium break LOCAs, no quantificaticn l appears to exist in tne SSPSA. In the two cases wnich appear inconsistent, I
j the SSPSA rate seems lower than others, although considerable variation exists j in all of the comparisons. u ! , As a result of the foregoing evaluations, a more thorough review was given to tne quantification of ECCS injection for the small break LOCA than for other ECCS modes. However, no problems were identified in SSPSA Section 0.8 of tne 3.6-51
,1 i
; SSPSA which had the potential for larga changes in any of tna ECCS failure I
i e t
. ,/
t e t i 4 i I I l i O.
'J t
4h t t
- i t
i
~'
3.6-52 i
. . . . . .. -.- . ___ . - , . _-. . . . . . ..-~~.. ~.. - ---- ~ .-
- 'i...-...---.- . .. . A I .
- .~
k-k e J
~ } ()designatesfootnote
[ ] desigastes reference documentation COMPAsi5all N SuPPGAT SISTEN FAILkBE SAIES 4 systes awm unn-I guuL JJ 2,__, T.qlj dleallj IEF-JLE) UtDef
.i
- l. Emergency Core Coellag: .
j I Large LOCA . lajection 43M-3 5.M-3/d 1.M-3/ 4.7E-4/20 stalli) 7.4E 4(33) Rectrculatloa 6.6M-4 I l.M-2/24 hr. 4.6E-3(j3I 3.7X-3/24 br. M-3 i I Medium 10CA ca lajection 5.M-4(2)/2hr.III 9.M-3/4 3.5E-3(3 33 7. W -9Il3I 5.6 M -5Il3I Recirculatten 1.0M -3(3I/ 2 hr. l. M -2/24 hr. SE-3(I3eI4) 3.7M-3/24 br. 5.9M-3/24 hr. 1 Alw5
' 5 mall LOCA/Iransleet lajection s.4M-5(43/6 nr. s. M -3/d 3.M-3(13) 7.4E-sil33 5.6n-5(13) 1.M-3(15) j Recirculation 3.M-4(l) M-3/24hrill) ef-3(I3.14I 3.M -4/24 hr. 5.8M-3/24 hr IE 5(13) ' 4,2E-6IIII 6.bE-6(III
- 2. Emergency feedmeter 6.7M -6/9 br. 3.M -5/8 hr. Q]($hN l
- 3. RC5 Pressure Rollefs l a
Feed 4 Sleed 1.0M-2/d Severe AlW5 1.5M-3/d M-6(8I/d . i Alw5 3.sM-4/d seseattag after ATW5 5.8M-2/d IE-2/4 i
' I Cheelcal Shutdoma 5.7M-4/d 8.M -3(9)/I hr.
I la AIWS
- 4. Mala 5tese System
; Secondary coollag I.SM-4(6)fg M514 isolatloa 8.90E-5/d 1.M-4/d(36II .M-3/d(15]
5.4 Isolation for 8.lM -6/d '
$4TA I Safety valve action 9.2M-3/d -
for SGit (steam) . Safety valve actlen 2.0lf-l/d , forSGlt(mater)
- I i
- 9 m
. ._ . . . . .. . . . ~ . . . . . . - --.h--.i.... ... --. . . - . . . - .
r (i t.. . . iJ Tahle 3.6-4 (Cont.) designates footnote COMPA4150ll 0F suPPORI SV51EM FAILURE RAIES systee aaram unan-leaut u zequayantgij noatij pr-M u j usher
- 4. Main Steam System . ,
4, (Continued) safety valve action 4.72E-8/4 for AlW5 lurhine trly 4.49E-6/d : i
- 5. Contalament Bulldlag spray lajection 7.25f-4/l hr.
2.4E-3/0.5 br. l.M-1(13) 5.5C-5(18) 3.2E-4(33) t.a cn secirculation 2.27E-4/164 hr. l.0E-4/24 hr. 3.X-3(13,16) 1.6t-3(13) 2f-3/24 tr.
"g 6. Containment Isolation 2.99E-4/d 2.4E-4/d(12) .
(1) includes contesament sup ave 11ahility, ceid les recirceustion i s o,. por time perises equal to er greater tnan Ju min. (la hrs.). and medi coollag for 23 hrs. 4 II i lacludes suitch to het leg reCirculatlee , (2) facludes high pressure lajectica systems. SW5T availability, i 12' Failure to reduce leakap helem 4' diameter hele equivalent t (3) lacludes CKS for 2 krs. i 13 f Tlee laterval not spectsled a (4) laciudes high pressure lajectise (6 hrs.). D e mintflow circulatten i 14 i Includes failure to reallen to hot leg recirculatlen after 24 hrs. j (16 hrs) and nW51 available (6 brs.) , 15 l Doelaat,4 by design reatures unique to Ice condenser containment (5) laciudes high pressure recirculotten systems (8 brs., contalament '
'16 i Steam line break outside containment sump (It brs.). AHR pumps (18 hrs). RHR coollag pugs (24 hrs) i 17 I Does not include accumulators at a rate of 9.M-4/d 6 . Following loss of offsite power i 181 lacludes a diesel-driven train in addition to tuo 81D trains 7 l Could not he found
< 8 Sate for failure of safety and relief valves to opea (9) CVC5 operates i
f I u i
.^
D O P
. A
modes, including injecticn for tne small break LCCA. Cne reason for tha somewnat lower SSPSA ECCS failure cata for small treaks is one capability of
- the plant to use either tne CVCS or tne SI systam (ona of two trains in eitner system) for recovery from small break LOCAs.
During tne course of tne review, several apparent deficiencies were found,
, none witn an obvious potential for significant changes in ECCS faiure rates.
I
; These are as follows:
t ~! l 'j , 1. The basis for many assumptions and conditions is not provided. l These include: I - Failure of PCC cooling fails SI pump is 5 minutes (Pg. 0.8-5). SI pumps assumed to f ail "at some time longer taan 6 hrs" if , i containment enclosure cooling system fails (Pg. 0.8-5).
- Failure of PCC during RHR sini. flow "is assumed to fail RHR pumps l f within 1 hour." (Pg.0.8-8).
- CVCS pumps will fail during recirculation "at some time longer than 6 hrs" if containment enclosure cooling fails (Pg. 0.8-10).
- Automatic valves (NOVs) failing by trans' ferring open is not considered as a failure mode (Pg 0.8-20). (A check of the failure rate for tne mode as given in Table 3.6-1 nerein
, indicates that this failure mode snould not be a significant
; contributor.)
3.6-55 9
- 2. It does not app ar that tha ECCS failure moda for mediua LOCA recirculation has been quantified. No failure expressions for this mooe are provided in SSPSA Subsection D.8.2.3.2 and do not appear to-be provided elsewhere. However, the unavailability for tnis mode should be similar for the large LOCA case and would thus not be a contributor.
2
- 3. It was determined during the review of common cause contributions i
; (SSPSA Section 0.8.3.4) that B-factors used for two ECCS components t
appeared to be inconsistent with alternate sources and also with the {
" generic" B-factor (0.125) used in 'the SSPSA. These two components were (1) the high pressure injection pumps where a B-factor of 0.0588 was used for fail to start and 0.0640 for fail during operation, and l (2) the RHR pumps, where a 3-factor of 0.0667 was used for fail to i
start. A description of the derivation of B-factors and values from r3 alternate sources is given in Section 3.10 of this report, along with
, 1 an evaluation of the B-factors used in the SSPSA. -
To determine if B-factors more consistent with alternate data for the high f- pressure and RHR pumps would have a significant effect on system failure probabilities, the common cause failure contributions as presented in Section l . 0.8.3.4 were requantified using B-factors of 0.125 for both components. Tnis i i requantification produced no significant (less than a factor of 2 in all i - i cases) change in tne ECCS failure probabilities for those systess and modes which employ the high pressure or RHR pumps. 3.6-56 w-l l 1 l __ . _ __ __ _ __ _ _ __ _ _1___
-- _ . ~ 1_11 - _._ _
3.6.2.10 Emergency Feedwater Systen The assessment of emergency feedwater unavailability is contained in SSPSA i - Section 0.9. As shown in Table 3.6.1 of this report, the assessed unavailability is 6.76E-6 for the case of no loss of offsite power and 4.34E-4 for loss of offsite power. Each result is for an assumed mission time of 9 nours. These results compare favorably with the other values listed from alternate evaluations in Table 3.6-1. The other values, except as noted, are for loss of offsite power (LOOP) conditions, although for the alternate assessments dependency of offsite power is generally minimal. The Seabrook j design is somewhat unique in this aspect of offsite power dependency. The reason for the dependency is that the startup feed system (wnich utilizes on 3 motor-driven pumps) is unavailable as an element in ne emergency feedwater systedi under LOOP conditions since, according to the SSPSA, lube oil cooling would be lost.
/-. An examination of SSPSA Table 13.2-12 reveals that emergency feedwater failure appears in four sequences which contribute about 2.4% to the total core melt probability (CMP). None of these sequences, according to SSPSA Table 2.3-5,
~
are dominant contributors to early or late fatality risks. Thus, emergency . feedwater failure is a small contributor to CMP and not a dominant contributor i l, to risk of fatalities. This result is not consistent with some other PRA results wherein emergency (auxiliary) feedwater system failure was found to be a leading contributor to CMP in sequences involving loss of all ac power. The } major reason, for this difference appears to be the assugtion in the SSPSA l that pug seal failures will always occur at Seabrook upon loss of all ac power which lead directly to core melt (if ac power is not recovered) regardless of the status of the emergency feedwater system. 3.6-57 4
- - - . ~ . e- -- n.-, - - -
,, . ,, ,, n--,,- - - - - , m,,,,w--_ . , , , . , - - - - - - - - - - - - , , - , - - , _ , _ . - - - - - . . - - , - - - - .
In reviewing the SSPSA quantification of emergency feedwater failure as provided in Section 0.1, no problems were found with the apparent potential to s change the failure quantification to the extent required to influence the overall SSPSA results. However, several errors and other discrepancies were found, as follows:
- 1. The discussion on SSPSA pg. 0.9-2 regarding tne prevention and
, detection of condensate storage tank freezing is vague and sketeny.
[ The "metnods" and " systems" available for detection and prevention are not defiried, and failures are expected to be "probably" remedied. No discussion is provided of procedures and tech spec requirements, if any.
- 2. SSPSA pg. 0.9-3 discusses tne automatic isolation feature of tne emergency feedwater (EF) supply if flow exceeds 450 gpm. The p possibility of this feature failing and putting the EF in an v_
isolation condition does not appear to be considered in the j subsequent system failure assessment. l l
- 3. The penultimate paragraph on SSPSA pg. 0.9-4 indicates that botn i
trains of tne solid state protection system (SSPS) are required to { actuate both emergency feedwater trains. Furtner, train 8 is
- required to actuate eitner EF train. This appears to disagree with the SSPS assessment wherein system success is defined as a signal from at least one SSPS train (Page 0.6-2).
3.6-58 A-
4 SSPSA pg. 0.9-15 (1st Paragraph) states that operation of tha turbine-driven EF pump is not dependent on a source of power. However, dc power is usually required for monitoring and control. The potential de power dependence is not considered in the SSPSA. S. The unavailability quantification on SSPSA pg. 0.9-16 includes a
- statement that failures of the startup prelube oil pump required for lI the startup feed pump are included "as failures of the startup feed pump". However, the startup feed pump failure rate used is the g ,
I
! general rate, for motor driven pumps, most of wnica would not be . expected to have a dependency on prelube oil pumps (althougn the ! SSPSA data base is proprietary and this cannot be confirmed).
l However, including a factor for prelude oil pump failure would not appear to have any significance on the failure of emergency feedwater. . 4 C.'.
- 6. In assessing the common cause failure contributions, it is stated on
- i. SSPSA pg. 0.1-32 that a " fire wall partition" separates the two emergency feedwater pumps. In inspecting this area during the
; Seabrook plant tour on August 29, 1984, no such wall was found to j exist. Further, plant personnel indicated that no plans exist to ~
construct such a wall . If this remains the case, fires, missiles, or flooding caused by one pump failure could readily fail the second pump since tney are very close together (a few feet). In attempting [ to assess the potential significance of such failures, it was determined, based on current SSPSA results in Section 0.9, that given j a failure of tne first pump, tae failure mode would have to disable l 3.6-59 i
w ....e.._. tha second pump about 10% of tha time to produce an emergency feedwater system failure probability approximataly equal to the
-- current SSPSA value (4.34E-4). This 10% contribution would appear to a
be quite nign for such failures. I 3.6.2.11 Reactor Coolant Pressure Relief The reactor coolant pressure relief system failure probability is considered j in SSPSA Section 0.10. Three pressure relief scenarios are considered: (1) i : feed and bleed cooling, (2) ATWS (including severs ATWS), and (3) recovery from ATWS (including reseating of valves and opening of PORVs to allcw CVCS , operation). According to Tacle 3.5-4 of tnis report, the only comparable evaluation of pressure relief unavailability nnich could be found is from WASH-1400. This comparison indicates the SSPSA probabilities may be too hign. (~. An examination of SSPSA Tables 13.2-12 and 2.3-5 reveals that tne reactor i coolant system pressure relief function does not appear in any of the dominant
' sequences for eitner core melt probability or fatalities. Thus, any reduction in pressure relief unavailability would have no effect on SSPSA results, and l ;
any increase would have to be significant in order to influence the results. {
!I t .
!{; The pressure relief unavailability assessment in the SSPSA is almost
- J
- l exclusively dominated by valve failure probabilities, eitner failure to open,
! l ' failure to close, or transferring closed. The valves of interest in this regard are the two PORVs, the two block valves in series with the PORVs (botn i 3.6-60 l
* .. . . . . . . wea = n_
, , - - - - , - . yc -- -,-m,.,,,
,.e.- we.. ,, ,-- ,, , - , , , , . ,g , -, - , . , .s_--~_, ,,_._,--._.,,,n. -+-_w--- , - .--, - - - - - - - . + - - - - -
.~
- . = w -"
MOVs), and tha three safety rel1Gf valvo. As indicated in Tablo 3.6-1, tna SSPSA failure rates for these valves appear reasonable based on comparisons
, with alternate data sources although large variations exist in some cases.
A review of the reactor coolant pressure relief unavailability as presented in the SSPSA disclosed no significant discrepancies. However, some minor
~
problems were found, as follows:
- 1. The feed and bleed success criteria (SSPSA pg. 0.10-1) assumes only that tne two PORVs need to open. However, for some feed and bleed scenarios, cycling of these valves may be required.
- 2. No basis is provided for the fraction of the time (0.1) a block valve is assumed to be closed due to PORY leakage (designated *f" on SSPSA pg.
0.10-5). To determine the influence of this assumption, a sensitivity
- - study was performed. It was found that the results are not sensitive to the assumed valve for "f". For exangle, it could be raised to a value of 0.5 and would only increase the pressure relief unavailability a maximum
, - of 257, considering all cases.
- 3. No consideration was given in the SSPSA assessment for the case wnere botn block valves signt be closed due to PORV leakage. (According to Pg. 0.10-3, tecnnical specifications would allow continued operation under sucn conditions). To determine if such a condition might contribute to the pressure relief unavailability, an analysis was performed assuming: (1) both block valves would be closed 10% of the time, and (2) a B-factor of
- 3.6-61
- . - , . , , - ~ , - - . . , . . , - ., - . - - - - _ , _ - -,,---...,-..,--_--,-,Y-,--..----_...--,. ,- ----..-,- -__ - - --
5.,.g.e . r 0.125 for tna conson causa contribution of botn block valves failing to open. All other valves were identical to those in the SSPSA. This
,, analysis revealed that only a 10% increase in pressure relief unavailability would result for tne case most sensitive to this condition.
- 4. According to SSPSA pg. 0.10-3, power must be removed from the block valves if they are closed following detection of PORY leakage. This power removal is, presumably, to prevent inadvertent reopening of the valves.
However, depending on system logic and operator actions required, it may be difficult to open the valves, resulting in an increase in the probability of the valves failing to open. Such a consideration is not
. included in the SSPSA quantification for tne case wnere block valves are closed (Pg. 0.10-5). .
3.6.2.12 Main Steam System
- p. Failure probabilities for various modes 'cf operation of the main . steam system s, .
are quantified in SSPSA Section 0.11-1. The main steam system, according to l the SSPSA, functions to provide adequate and prevent excessive neat removal
~
from the primary system. To determine the risk significance of the steam system failure, SSPSA Tables 2.3-5 and 13.2-12 were examined. Four sequences were found in wnich a main i ' steam system function appeared to be an element in the accident sequence. In all of these cases, however, tne function was secondary pressure relief in conjunction with emergency feedwater operation. Further, in all cases, the l emergency feedwater failure probability dominated over secondary pressure relief. The emergency feedwater failure probability was assessed at from 1.0 3.6-62
--- - - _ _ _ _ _ . . - . . _ . .,.m,,..,.--__,,r ,.,-4.__ ._ _ _- _ _._._, ____- - _ _ . . . . -_____.__-__--_-%
.,__,___mm_, , _ , - , - - _ _ . - ~ , - _ . - - - . . . . _ _ -
. _.. >- ^ : l (as a consequenca of preceding SSPS failure) to 4.3E-4 for two.of taa sequences. This compares with a secondary pressure relief failure probaoility 1 of 4.72E-8 for the ATWS case (a more severe condition tnan the four accident sequences being considered). The secondary pressure relief failure was not explictly quantified in SSPSA Section 0.5 for accidents represented by the four sequences. Therefore, the various functions of the main steam system do not appear to be significant i terms of core melt accident probability determinations.
I As shown in Table 3.6-4 of this report, very few independent assessments of main steam system failure probabilities could be found. For the only two cases where a comparison was found, the alternate value for MSIV isolation is very similar to the SSPS. For the other case, steam generator isolation, the alternate assessment is significantly higher tnan the SSPSA result, but tne
; accident condition is different (steam generator tube rupture vs main steam i line break).
[ The review of tne main steam system failure quantification in SSPSA Section 4 O.11 did not disclose any discrepancy with the apparent potential for enanging- >I the overall SSPSA results. However, several less significant apparent j discrepancies were found, as follows: i i
- 1. The relatively extensive treatment of main steam system functions in the
]i 3SPSA is unique compared to most other PRAs and may well be an advancement in PRA congleteness. However, the SSPSA does not provide an adequate explanation in Section 0.11 of the relationship between failure of the
- main steam system functions and the progression of severe accidents. In l ~
3.6-63
. _ _ . . . = ...____.. -. .._.. - . . .
-w- -
,.%.-., --+ +- . , , - _ _ , , - _ _ ,--_p ,. , - . - - . , . - - -_ . . __, -_, .-% _. , , , ,.-- __ , , _ . - - -
_ . . _ _ . . =
-s- -
m particular, tha SSPSA definition of system sue:e:s criteria (Pg. 0.11-1)
- does not indicate the consequences of failure or what measure of success p was actually used. It appears in tnis regard tnat failure to meet at least some of the success criteria does not lead to severe core damage accidents .
- 2. In assessing the conunon cau'se contribution for atmospneric relief valves (ARVs), the SSPSA assumes (Pg. 0.11-15) that a B-f actor of 4.23E-2 is appropriate because "...of the similar complexity of tne control circuits of the ARVs and a typical MOV." While this assumption may be valid, it appears questionable and not substantiated by data. The B-factor for MOVs.
is quite low, almost a factor of 3 less tnan the generic S-factor (0.125) wnich is used in the SSPSA for other components which were not explicitly quantified with a proprietary data base. In view of tnis difference, it was considered appropriate to re-examine those steam relief system i n functions in which multiple ARV actuations were assumed to be required.
. Of tne six main steam system functions quantified, multiple ARY actuation appears only in the secondary cooling function. Requantifying the secondary cooling function failure probability using a B-factor of 0.125 raises the probability for the offsite power available case to 1.66E-7, a factor of about 2 above the SSPSA result (see SSPSA Table 0.11-4) and l 'ncreases i the loss of offsite power case by a factor of about 3 (to l t . 5.35E-4).
l
- 3. In assessing the conunon cause contribution from multiple MSIV failures, the SSPSA assumes again a 8-factor of 0.0423 based on "...similar l
l l 3.6-64 t
=_... .. .... _ _
.. - . _ r.;;
2-_ -
] complexity of tha control circuits of tha MISIV and a typical MOV.* As
. discussed in item 2 preceding, this assumption is questionable and not
- - fully justifled.
To determine the influence of astuming that the generic B-factor (0.125) applies, the main steam system isolation failure probability for main steam line breaks or turbine trips was requantified SSPSA Section l 0.11.3 2, the only instance where multiple MSIV closures appear). This requantification results in an increase of about 'a factor of 2.4 in the failure probability, to a value of 2.15E-4.
- 4. The SSPSA argues (section D.11.3.4.2) that no comon cause contribution is
, expected from mitiple failures of main steam system safety valves. The argument is based on the premise that missetting of pressure setpoints would not have any effect because "the magnitude of a missetting error is limited by the spring select 1.on on the safety valves. Also, an error as
( muct; as 100 pounds over design pressure does not affect system response in
- . this event." The argument does not, however, indicate what the maximum l i '
missetting error actually is and whether tnis error is within the 100 pound margin. Furthermore, no mechanical connon cause contribution (such as mitiple corrosion seizing of the valves) is considered. In view of i these shortcomings, requantification was undertaken of those main steam { system functions involving altiple lifting of safety valves using a B-
! i factor of 0.125. The only instance wnere such a consideration appears to
. \
, be of significance is for the case of safety valve action for ATWS. In this case, a requentification using a connon cause 3-factor of 0.125 for I ,
the safety valves produced a result of 4.1E-5 compared to 4.72E-8 as
.s 3.6-65
-.,....-...m.. - _ , _ . . , _ _ _ _ . _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _
n fir.~ u.:. n -
. . = - '
quantified in SSPSA Section 0.11.3.5. While this difference is quite significant, the probability of ATWS (on the order of IE-4) makes the I
.m comnined probability of ATWS and steam system safety valve failure so low that it would not be a risk contributor even if core melt were assumed to i
occur.
~
I 3.6.2.13 Control Room Complex Heating". Ventilation, and Air Conditioning l (HVAC) The assessment of control room HVAC failures is provided in SSPSA Section 0.14. Control room HVAC failures are treated as a failure following the initiation of an accident sequence from other causes. A mission time of 24 nours is assumed for all cases. Control room HVAC failures do not contribute to any of the dominant sequences for core melt pronability or fatality' risk as indicated in SSPSA Tables 13.2.12 and 2.3-5. Thus, these HVAC failures were found to be an -
'w _
insignificant contributor to tne SSPSA results. -
; As shown in Table 3.6-1 of this report, no alternate evaluations of control l
l room HVAC failure were found. The SSPSA appears to be one of the few PRAs 1
; (pernaps the only one) which provides an assessment of this consideration.
i
-; SSPSA Section 0.14 concludes tnat, based on the SSPSA assessment, failures of i
4 i the control room HVAC "do not significantly affect plant response or operator f, response to the initiating events of interest". Based on a review of Section O.14, no discrepancies were found which appear to have the potential of invalidating this conclusion. However, several discrepancies, which appear to be minor relative to the overall results and conclusions, were found, as L t 3.5-66 l'
-- - - _ - - - - . __- _ _, -v- - , -- - - . - - , ,-- -- - , -
follows: 4 i 3, 1. The control rocm HVAC descript,1cn provided in SSPSA Section 0.14 is
,.y inadequate for an understanding of the system operation.
- 2. It is not clear, as indicated on SSPSA pg. 0.14-3, why opening of OP-53A or OP-538 dampers is necessary to restore control room air conditioning on <
, j loss of offsite power. These dagers do not appear (SSPSA Fig. 0.14-1) to , I be associated with the air conditioning system.
I;
- 3. There appears to be little or no basis for some assumptions given on SSPSA pg. 0.14-5. These include: -
- a. failure of vital instrument and control systems is assumed to occur 2 hours after control room high temperature alarms have initiated.
- p. .
- b. during station blackout, vital instrumentation is assumed to last at least 8 hours without operator action. (A personal letter is referenced but not provided to' support this assumption.)
i { 4. The quantification of system unavailability from hardware failures (SSPSA Section 0.14.3.1) does not provide enough detail. A general formula to cover any nuocer of components is provided, but the specific components
;; considered, and their assumed failure rates are not provided. (This lack of detail is inconsistent with the other system quantifications in SSPSA Appendix 0.)
i 3.6-67 I I t
- , - :. : " - [_
; l S. The frequency of occurrence for maintenance for the emergency cler.nup fans l
(approximately every four years) seems excessively infrequent. The basis l l l ,m, is stated to be in SSPSA Table 6.4-1 (type 4). However, these congonents
.'.)
{ are not listed in the table. l
- 6. In assessing the connon cause contribution to control room HVAC failures, it is assumed (SSPSA pg. 0.14-10) that there is no common cause link
} .l between failure of an operating atr conditioning train and failure of an i
j identical train (in standby) to stirt and operate. No basis is provided - for this assumption other than the, trains "are indifferent operating modes". Assuming no link between the operating modes of identical trains even if one is initially in standby appears questionable. To determine if { consideration of such a connon cause contribution could be important, an assessment was done assuming that the second train could fail in tne operating mode from the same cause as the operating train. A generic S-f' actor of 0.125 was assumed. "The only case where this consideration applies 1s no S signal required with offsite power avallable (Condition 1A
! as defined on SSPSA pg. 0.14-4). The reassessment resulted in a factor of l
i 8 increase in the failure probability of the air conditioning function. However the SSPSA failure probability for this case (1.2E-10) is so low
. that the increase would have no effect on the overall significance of HVAC l failure.
I
. i Li 3.6.3 Conclusions p: . ,
Based on the review of component failure rates and system failure probabili-ties as presented in the SSPSA, the following conclusions have been derived. l 3.6-68 l v l
~~' ~ '
, , y, . . . . ci .
6 .
, Details pertaining to these conclusions may be found in Sections 3.6.2 and 3.6.3 preceding.
p.
- .. y
! 1. Tne SSPSA component failure probabilities appear, in general, i
f reasonable. While some differences were found in comparison with alternate sources, wide variations were also found among these sources in '
! many instances. The SSPSA component failure rates do not appear, on balance, biased in either the conservative or optimistic direction witn respect to alternate data sources. No instance was found in wnich ! changing an SSPSA component failure rate to be consistant with alternate I ! sources would make a significant change in tne SSPSA results for risk or core melt probability. It should be noted that tne data based used, and adjustments made to it for application to Seabrook, is apparently proprietary and not made available for this review. In several cases, no comparative data were found. inis is due, in part, to the ratner f
{ comprehensive treatment of component failure rates in the SSPSA compared to other PRAs and data sources. i :
- 2. The mean to median relationship in the SSPSA appeared, for the most part, l reasonable. However, in a few cases, tnis relationsnip was found to be i
; questionable and not consistent with alternate data. Tne signiftance of I
{- these differences was not evaluated in this review, but tney would not be expected to have any significant impact on results. l .! i 1 i 'i
- 3. The system failure rates generally appeared to be reasonaole. The SSPSA i system failure rates did not agree in some cases with alternate sources i and no comparison could be found in others. Furtner, a persistent ca..cern L .i 1
c
; (j 3.6-69 l
l
ff,,
,',-. e
~
! was found in the treatment of conmon cause failures. Tnese concerns -
I j included: (1) exclusf ort of passive and other components from common cause i l O failures, (2) use of very low beta factors for some components, (3) no y connon cause link between different operating modes. In spite of tnese problems, no instance was found wnere requantifying the system failure probability resulted in a significant change in the SSPSA results. In a I few cases, however, it was not possible to draw definitive conclusions j about the influence of these concerns. In numerous instances, as noted in preceding subsections, the SSPSA does not provide the basis for i - assumptions made in quantifying system unavailabilities. { i i h l \ 5 O w
.i i
j , . i
.i s
e 9
*T ,
(, 3.6-70
, -- -~-
t i l
! p, 3.6.3 References for Section 3.6 s./
3.1 National Reliability Evaluation Program (NREP) Procedures Guides,
' NUREG/CR-2815 Final Draf t, September 9,1982.
3.2 Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815, Brooknaven National Lao., January 1984. -
- 3.3 Reactor Safety Study, WASH-1400, USNRC, October 1975.
3.4 Data Sumaries of Licensee Event Reports of Pumos at U.S. Comercial l Nuclear Power Plants. NUREG/CR-1205, January 1980. 3.5 Data Sumaries of Licensee Event Reports of Valves at U.S. Comercial
!' Nuclear Power Plants, NUREG/CR-1363, June 1980.
3.6 Generic Data Base for Data and Models Chapter of the National Reliability Evaluat1on Program (NREP), EG&G-EA-5887, June 1982. 3.7 Zion Probabilistic Safety Study, Comonwealth Edison Co., Copyrignt 1981. 3.8 Millstone Nuclear Power Station Unit 3 Probabilistic Safety Study, Northeast Utilities,1983.. . n - Data Sumaries of Licensee Event Reports of Diesel Generators at U.S.
') ,
3.9 Comercial Nuclear Power Plants, NUREG/CR-1362, March 1980. 3.10 Reliability of Emergency AC Power System at Nuclear Power Plants, NUREG/CR-2989, July 1983. 3.11 A Probabilistic Safety Analysis of DC Power Supc!y Requirements for Nuclear Power Plants, NUREG-0666, April 1981. 3.12 Data Sumaries of Licensee Event Reports of Control Rods and Drive Mechanisms at U.S. Comercial Nuclear Power Plants from January 1,1972 to April 30, 1978, NUREG/CR-1331, FeDruary 1980. 3.13 " Reliability of the Emergency AC Power System at Nuclear Power Plants",
'; R.E. Battle, etal., presented at International Meeting on Thermal Nuclear Reactor Safety, August 29-September 2,1982 Chicago,
.! NUREG/CR-0027 0 Reactor Safety Study Methodology Applications Program: Oconee #3 PWR 3.14 Power Plant, NUREG/CR-1659, G.J. Kolb, etal., Sandia Laboratories, May 1981.
l 3.15 " Auxiliary Feedwater Systems Reliability", Ebasco Services, presented at International Meeting on Thermal Nuclear Reactor Safety, August 29
- September 2,1982, Chicago, NUREG/CR-0027.
.g 6
3.6-71
-p r ,. ., --y s---- ,-- , ,-- y-- .-y r -s ---- - ---- --,--y--,-- --
y--e -
t
- I 1
3.17 Reactor Safety Study Methodology *colications Program: Secuoyan Al PWR l Power Plant, NUREG/CR-1659, Feoruary 1981. e e 3.18 Cormon Cause Fault Rates for Valves, NUREG/CR-2770 EG&E Idaho, Inc., ' M Feeruary 1983.
- b. -
i i 1
- s -
.)
1
't of' i
.i .
J* I
/*%,
eer
.T
*h I
s e e h 7 eI
.{
i g 6 P f
^1 d*.
3.6-72 l l'
3.7 OPERATING EXPERIENCE ANAL.YSIS 1l (m The quantification of systai unavailability, event sequence occurrence and public risk provides. important results from any PRA. The validity of these 1, results depends on the use of operating experience to derive appropriate
~! failure data. In the SSPSA, operating experience is used as an important 1
j . input for determining the frequency of ' initiating events, randem failure i - ' rates, maintenance unavailabilities, common cause beta factors and human
.j errors. This section provides a review of the use of operating experience in I the SSPSA for each of these areas.
A Bayesian method is used to develop the SSPSA data Mse. For this method, :1
\ -
i price body of knowledge is updated withr new evidence to derive a present state- ,
- C- of knowledge about a ' parameter. In this case the parameter is a probability distribution for the frequency of an elemental event, for example, a component failure rate or an initiating event frequency. If the new evidence used to i
update. prior information is plant speci.fic, then the resulting parameter will
; also be plant specific. .
l1 - l { Generally, there are three types of data available for use in a PRA; general l
; engineering knowledge, historical information and plant specific experience..
i The SSPSA uses industry-wide sources (historical information) as the prior
$ state of knowledge and updates these sources using engineering knowledge of
'the Seabrook plant, engineering judgement as to the applicability of these data, plant specific infonnation from other PWRs similar to Seabrock, data from other PRAs, and proprietary information. Since Seabrook is currently
.a 3.7-1 4
i i under construction, no plant specific operating experience is available. I t 3 N-
- The general sources upon which the SSPSA bases its data are given in the i
references. The specific data sources, information used and the details of . the development of each specific data rate, maintenance frequency, etc. have. been retained as proprietary information and not'available for review.. The I SSPSA data base is revtewed in Section 3.6, Failure Data. I i s-3.7.1 INITIATING EVENTS . i
}
l Operating experience was used to determine the frequency of the initiating events identified for the SSPSA analysis. There are twenty-four initiating
- events other than external " events" analyzed. Since Seabrook is not an i cperatir.g plant,.no plant specific operating experience is available. .
() Therefore, estimates of the frequency distributions were largely based on generic industry experience from other operating plants. The primary sources ~
- used in this analysis include an EPRI compilation of transient data (Ref. 3.7-
- 8) and. Nuclear Power Experience (Ref. 3.7-6).
' .The initiating events are devided into two general groups. The first group is
- composed of those events for which the available data from other nuclear power i
l plants were judged to be relevant. The second group consists of those events. for which the industry- wide data does not apply. For this group, the i frequency of the initiating event was determined from an analysis of the
~
- specific Seabrook systems involved, using generic industry data. The two groups of initiating events are listed below.
w=* 3.7-2 1 -
... - - - _ - . - - . . . _ . . . " . _. - . T: _ - -. .
Group 1 - Initiating Events Quantified Using Data Fnan
,s
- j Operating Nuclear Power Experience Excessive LOCA Large LOCA
- Medium LOCA I .
j Small LOCA, Nonisolable i i- Small LOCA, Isolable 4 I Steam Generator Tube Rupture i i Reactor Trip - Turbine Trip Total loss of Pain Feedwater Partial Loss of Main Feedwater
. Excessive Feedwater Flow '
. (~7:
~-
; Loss of Condenser Vacuum ,
t Closure of One MSIV l Closure of All MSIVs - Core Power Excursion . l ; Loss of Primary Flow ( St'eam Line Break Inside Containment r . i l Steam Line Break Outside Containment l . Main Steam Relief Valve Opening Inadvertent Safety Injection Loss of Offsite Power ! Loss of One DC Bus m 3.7-3
Group 2 - Initiating Events Quantified By Performing
. ]) Seaoreck Specific Systems Analysis Interfacing Systems LOCA Total Loss of Service Water
' Total Loss of Primary Component Cooling Water
-j -
-I 1
I For the Group 1 initiating events, the EPRI study was the principal source of data. The data in this study were reviewed and edited for use in the SSPSA. The editing resulted in the removal of incidents not deemed applicable to Seabrook and the addition of other incidents from other sources. The final
. result was a list of the number of events and total operating times for each of the 36 PWR plants included in the data base.
- ~
- (~')
The EPRI study, however, was performed for ATWS initiators and does not
- provide data on LOCA initiators. .Therefore, several sources of nuclear industry data' including Nuclear Power Experience (NPE) were reviewed to obtain
.; . plant population data for these initiators. This data includes several events j judged applicable to the SSPSA study that occurred during nonpower operation I
i of nuclear plants. , i - 1 The loss of offsite ' power initiating event data were based on review of those incidents at all nuclear power plant sites in the United States. Similarly, the data for loss of one DC bus and steam generatorrupture initiating events were obtained from a review of NPE. f i 3.7 .
}
l l The data collected for use in quantifying the Group i events were the basic
~) input to the Bayesian data analysis peccess for the generation of a frequency
. l distribution of each of the initiating event groups. The list of specific
)
incidents and the details of how the frequencies were quantified have been retained as proprietary information and were not available for our review. The quantification of the Group 2 initiating events was obtained by a Seabrook
; system specific analysis. This analysis determined the propability of failure
, of the specific systems involved in the initiating event based on the system components and configuration. The component failure data was taken from industry-wide sources.
Within the framework of the limited information available to us, our review of the use of operating experience in determining the frequency of initiating events at Seabrook identified no major concerns. The methodo_ logy employed and the discussion given in the SSPSA are appropriate for the analysis. However, without reviewing the actual data and quantification, a complete assessment of the accuracy, validity and completeness of the analysis could not be made. o I, The use of nation-wide data for the quantification of the Loss of Offsite
- Power initiator causes us a minor concern. In the context of the Bayesian i procedure, the nation-wide data should be used as the prior distribution and region specific information should be used as the update. This procedure v . .
would account for the plants on the Northest Inter-tie which experience a. higher incidence of hurricanes and other severe weather. In light of this discussion, the frequency of the loss of Offsite Power initiating event could be optimistic. l 3.7-5
. - L: .
~,L__ _ ~. . _: ~.L~. * ~ T- ? l 1 ._ ? _ ?_~ :?:~ ~~ ~ L T - T
l - . 1 3.7.2 COMPONENT FAILURES i
~
6 ~h The SSPSA component failure data was developed for macroscopic component
. failure modes. Based on the level of detail employed in the system models,
~; macroscopic component failure modes were defined and component failure rates j: developed that incorporated the various failure modes of each component. For
..' example, the SSPSA MOV failure data incorporatas valve mechanical failures, j MCC contactor failures, local control circuitry failures, valve motor failures l and failures of any other auxiliaries directly associated with the valve or
~I s its prime mover.
The daca development effort used a Bayesian procedure. A subjective
. " weighting fa.ctor" was assigned to each piece of data, based upon the
~
perceived compatibility of the source .with the desired failure rate
^'
(- ; information. The weights are assigned by assessing either a _ range factor or sigma parameter for the likelihood function of each source. 1
! The SSPSA indicates that specific failure rate data from nuclear power plants
' . examined in previous and ongoing studies was used along with various industry-L 'I wide data ccmpendia. The IEEE STD-500 (Ref. 3.7-2) was mentioned. However, I
j the list of generic data sources specifically used for the development of component failure ratas and unavailabilities was retained as proprietary information. A review of the component failure data is given in Section 3.6, Failure Data.
' .i l
3.7-6 e ** *
- se s e mee _
w v-, . - - , .. ,y , , - - - - - - - , - - - . , - + , - - - ---.--.i-, ,s. ,, ---+-r----- -..- - , -- ---u--
3.7.3 MAINTENANCE DATA
.. .~-
The maintenance data used in the SSPSA was generally based on accumulated experience from other nuclear power plants. Since the Seabrook plant has no
. operating experience, generic test and maintenace intervals and repair times from a broad base'of industry experience were used. These data were then updated using Bayes theorem to account for the Seabrook plant specific system i
configurction, general test and maintenance procedures, technical l .
! specification and administ,rative restrictions.
i. The data analysis considered only non-cold shutdown operating conditions. The activities are not delineated; they include repairs experienced during operation, repairs during testing, removal from service for special testing or inspecticn, cinor adjustments," hardware modification, etc. The SSPSA determines the state of knowledge distributions for the unavailability of components due to maintenance by multiplying the frequency and mean duration of maintenance distributions together using discrete l ;* probability distribution (DPD) arithmatic. The frequency and duration of maintenance distributions and the resultant unavailability distributions are i developed for the four general component categories listed below. i Type 1. - Standby Pumps, Tested Monthly Type 2 - Normally Operating Components, Low Failure Rate Type 3 - Component Requiring Relatively Frequent Maintenance 3.7-7 n.- -T __.
'# ~h Type 4 - Component Requiring Relatively Infrequent Maintenance f Within the context of the limited information available to us, our review of the development of maintenance unavailabilities using operating ' experience found no major concerns. The actual data and analysis has been retained as
- proprietary information. The met 4todology employed is valid and the discussion of the analytical considerations indicates completeness.
However, we are concerned with the application of only four maintenance - unavailabilities to the many and various components throughout the plant. Specifically, the application of a general maintenance unavailability to an important component that has been found from operating experience to be less reliable and require extensive repair. Therefore, important components ('# identificd in the systems analysis that have been found to be particularly unreliable and/or that have long repair times should be considered on a case-by-case basis. - l t 3.7.4 COMMON CAUSE FAILURE PARAMETERS (BETA FACTORS) The analysis of dependent failures such as certain common 'cause failures are implicitly treated in the SSPSA by using beta factors to account for their contribution to systems' unavailability. Examples of these common cause failures are design errors, contruction errors, procedural deficiencies and unforeseen environmental conditions. t . s 3.7-8
The development of beta factors is based on historical evidence and limited to
') several key. components identified through a review of the systems analysis and their impact on system unavailability. The main source of data was Nuclear Power Experience (Ref. 3.7-6). , 0ther sources are said to have been consulted especially in the case of dieseT generators but they are not identified in the
, SSPSA.
. For each key component, the data sources were reviewed to ,indentify actual or potential comon cause failures. Appropriate weights were assigned to these failures and posterior distribution of the beta factors were calculated usi'ng Bayes' Theorem. The prior distributions used in the calculations were mostly uni form. However, for componen't with little data, nonuniform " generic" distributions were used. These" generic" distributions are based on the
. variability of beta facters for several other components judged representative ,
"' of typical components and failure modes. -
The details of the collected data and classification of events as well as the development of the beta facter distribution for each component have been
' retained as proprietary infonnation, and not provided to the review.
; .I Our review of tho.use of operating experience for the development of beta factors found no area of concern. For the beta factor treatment of dependent failures, the methodology and discussions in the SSPSA, to the extent given,i, are valid and complete. However, a thorough assessment of the data and
' development of the beta factors could not be performed due to the fact that this information is proprietary and iii was not .r.2ade available for review.
.J l
l , 3.7-9 l '
. _ . _ _ _ _ _ - - . _ _ _ _ _ _ _ _1 _ __ .f_'__._.____ ._ ' ~Z _ .. _
- L 3.7.5 HUMAN ERRORS Operating experierice provides an important input to the qu3ntification of human errors in nuclear pcwer plants. The principal sourca of information
- used in the SSPSA is the. Nuclear Regulatory Commission human reliability handbook (Ref. 3.7-7). This work provides qualitative and quantitative information for assessing human performance in numerous situations.
In the SSPSA, lognormal distributions of human error rates are developed. These distributions use the best estimate human error probabilities given in the handbook as median values and the upper bound estimates as the 90th .
~
percentile. This procedure accounts for a greater uncertainty about the error rates than the generic source. The best estimate and upper bound values' are
- ch :cr. fer the particular human action that is analyzed. The SSPSA analysis .
I O. . also considers the dependence between human errors when two or more tasks are
~
performed. The human error rate distributions presented in the SSPSA apply to normal i . tasks. Iligh stress situations, such as large LOCAs, are analyzed where they j,
- arise. A complete discussion of human , error failure data and its use in the SSPSA is provided in Section 3.5, Human Factors.
3.7.6 CONCLUDING REMARKS In general, the methodology and discussion given in the SSPSA indicates an acequate treatment of the cany considerations necessary to develop a plant .
*) ,
specific failure data base fnmn current operating experience in the nuclear
. 3.7-10
~~
s.. . _ _ w- . i' industry. The sources of data reported in the SSPSA comprise a broad base of
) industry-wide experience and informatioa. Based on the above discussion, the operating experience analysis provides a generally acceptable data base for estimating system unavailabilkty, accident sequence occurrence and public risk at Seabrook.
We do, however, have reservations about the proprietary ' nature of the actual data used and analysis performed for determining the data base. Without
~
reviewing the actual analyses, we can not make a complete assessment of its accuracy, validity and completeness. We have two minor cencerns with the operating experience analysis presented in the SSPSA. The first is that the use of nation-wide data to estimate the frequency of the loss-of-power initiating event without consideration of
~~ ' northestern regional data 'may yield an optimistic value for the frequency of
- this event. The second is the use of only four categories for quantifying the i
- maintenance unhvailability of all components at the Seabrook plant. The maintenance unavailability of safety significant components that have been f
j- found to be unreliable and/or require extensive repair times should be treated i on a case-by-case basis. I
~
I . f
. .i
-i i
a J 3.7-11 I i ( : l __ . _. .. ..
^
.q.,
.- n ,
~
h REFERENCES for SECTION 3.7 l. 3.7-1 U.S. Nuclear Regulatory Comission, " Reactor Safety Study: An Assessment of Accident R.isk in U.S. Commercial Nuclear Power
, Plants, " Appendix III, " Failure Data," WASH-1400 (NUREG/75-014),
a j October 1975. , 3.7-2 Nuclear Power Engineering Committee of the IEEE Power Engineering Society, "IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data f for Nuclear Power Generation Stations," IEEE STD-500, June 1977. 3.7-3 Hubble, W. H., and Miller, C.F., " Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear' Power Plants," l t NUREG/CR-1363, EGG-EA-5125, June 1980. l s i 3.7-4 " Zion Probabilistic Safety Study", Commonwealth Edison Company, 1
- September 1981.
f
.h
! 'I Ii 3.7-5 Hannaman, G. W., GCR Reliability Data Bank Status Report, General p p . l [ Atomic Co., GA-Ala839 UC-77, July 1978. s
! Nuclear Power Experience , Petrolium Informatifon Corporation,
-} 3.*7-6 ,
i 3 August 1981. Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability n (] 3.7-7 i-0
- 3.7-12 5
t' t
.- ,. T.- - _ - _ _ : ::- - -
e Analysis with Emphasis en Nuclear Power Plant Applications," 1
) Draft Report, NUREG/CR-1278, Octaber 1980.
3.7-8 Electric Power Research Institute "ATWS: A Reappraisal Part III, Frequency of Anticipated Transients," EPRI NP-2230,1981.
~
3.7-9 Seabrook FSAR, RAI 440.133. i . 1 i h 1 i I' I i ,i i L : . \; I a i i - l J l 3.7-13 l e y - , , _ , y. . m.. -, , . , - , -,
~ '
~
h - t 1 . 3.8 ANALYSIS CODES i
']
The overall methodology used in the SSPSA requires the used of any computer codes to generate the results. Computer codes were used for data preparation and analysis, dependent failure analysis, the development of internal and external initiating event frequencies, construction and analysis of the plant
; model, analysis of accident phenomenology and containment response,
< development of the site model, analysis of accident consequences, and the
. quantification of care melt frequency and risk curves. The more than 20 computer codes used for these analyses are listed in Table 3.8-1. This section presents a brief discussion of these computer codes and their uses in the SSPSA. Complete code desc'riptions can be found in the references.
,.. 3.3.1 OATA ANALYSIS V _
The accuacy and validity of' the plant and site analysis depends on the use of appropriate ' data. Several computer codes were used to aggregate the various data sources for use in the matrix formalism. The Bayesian update codes, o ELNOR2 and BEST, were used to develop plant and component specific failure
. frequency distributions using generic industry-wide data, engineering i knowledge and expert opinion for the quantification of initiating events and 1
system unavailability. The BETINV code was used to estimate percentiles of { the beta probability density function for the analysis of common cause
; dependencies among components. The RTIME code was used to calculate the probability distributions of mean repair time using a set of actual' repair
, , times. These repair time distributions were used in the analysis of system
'. maintenance unavailability.
J . 3.8-1 6****oe *
-m- ;6
,6e**-*<= , _
I 11 9 3.8.2 EXTERNAL EVENTS ANALYSIS l The values used for the frequency of occurrence of external events are determined from existing data and expert opinion aided by various computer codes. Data for two external events, fires and earthquakes, was developed using computer calculations. J l . The analysis of fires was performed using the COMSP and THEAT computer l l codes. These computer codes deterministically model the behavior of fires in compartments and against heat barriers, particularly during early periods of early fire growth. The output from these codes includes heat releasa rates, gas temperatures, fuel burning rates and thermal heat flux at user-specified t ! s locations. These codes are used to estimate the extent and type of fire
- l 0; .
damage that may occur and the frequency of occurrence.
^ j. _
i Because fires and other external events are major sources of comon cause l failures in systems, the SETS code is used to determine minimum cutsets and
-] -
frequencies for spatially interacting senarios. ,j The assessment of seismic failures in the SSPSA was performed using the SEIS4 L 1 -
.j code. This code combines the individual fragilities of equipment, components P .a 1
and structures into aggregate ditributions based upon the event tree results
~l for each seismic accident sequence senario. A Boolean expression linking'.the 4
1 top event to the response of the components is developed. The aggregate
' l
' ~
i l 1 3.s-2
y;. .- . ,. . t . I I j fragility distributions are then assembled with the seismicity distributions
) for the site. The results of this procass are the frequency of occurrence of the plant damage states for each particular seismic senario.
3.8.3 PLANT MODEL ANALYSIS
~!
The matrix methodolgy employed in the SSPSA for developing and analyzing the i plant model requires the use of several computer codes. The individual matrices for early and late response of the auxiliary and frontline systems
- are assembled into the plant matrix using the MAXIMA code. This code also provides information neeced to determine dominant paths through the plant model. The CROSS code, used for matrix manipulation, performe standard matrix addition and pultiplication, diagonalizes a row matrix and triagonalizes a general matrix. Once the plant matrix is developed and analy:ad, it is
'~' decomposed to find dominant sequence and paths through each of the individual l matrices. This unraveling process is performed using the RAVEL code.
I ( . s . The individual matrices are analyzed using the COSET and ETCS codes. The h . COSET code combines small event trees into complete event trees for input to ( ETC6. The ETCS code calculates the conditional frequencies of the entries in l each of the individual matric m. This code also processes, draws and
. quantifies general and release category event trees.
The plant model quantification is perforund by the OPD2 and STADIC codes.. .The DP02 code performs various algebraic operations on independent discrete probability distributions. When the probati.ity distribu*. ions have unlike or arbitrary shapes and various levels of dependencies, the STADIC code is 3.3-3 4
, _ ,u: _
i l i used. This code combines distributions using a Monte Carlo simulation O technique anc provides mean, standard deviations and confidence limits. The RAS systeri of codes is used to quantify fault trees developed in the frontline I systems models. t
} The CP02 and STADIC codes are also used to estimate joint probabilities for i
failure frequencies of multicomponent systems. These codes were used to l
! calculate core melt (fequency. The uncertainty associated with the risk
! esticates are calculated using the MXDPD code. This code performs algebraic manipulations on ordinary and discrete probability distribution matrices..
- 3. 8. t. ACCIDENT PHENCMENA, CONTAINMENT AND SITE ANALYSIS I The analysis of accident phenomena, containment reponse and acgident
- O consequences in the SSPSA were calculated using the MARCH, COC0 CLASS 9, CORRAL i and CRACIT codes. These codes mathematically model the physical -systems and
. surrounding environs of the plant to deterministically calculate the behavior i of pcstulated accident sequences. The CRACIT code contains some statistical
~
model used to assess risk. 1 The FARCH code calculates the thermal hydraulic behavior of the primary
. coolant system, nuclear core and containment system during accidents. The i
t input to this codes is the state of the safety and auxiliary systems i determined by the event sequence analysis. Depending on the accident sequences, PARCH calculates the phenomena and timing of the core meltdown and containment failure. The MARCH codes contains models for primary system {} blowcown, primary system temperature and pressure, reactor vessel coolant 3.8-4
i i - f inventory, core heat generation and transport, core melting and slumping,
] [)
metal-water reactions, fission product .*elease and . transport, reactor vessel
! melt-through, molten core coolant interactions, core concrete interactions, hydrogen combustion and containment temperature and pressure response. For 9
I the SSPSA, the output from the MARCH calculations are used as input to the I , CORRAL and COCDCALSS9 codes.
;; The COC0CLAS$9 code is used primarily -as a replacement for the containment I '! analysis subroutines in the MARCH code. This code calculates the containment i '
behavior, including integrity, for a broad range of pressure transients
; including LOCAs and main steam line breaks.
N The CORRAL code uses the reactor coolant system, core and containment response j 6 j as input and calculates the release and transport of radionuclides within () containment. The release mechanisms include cladding rupture,; fuel melting,
! vaporization and steam explosions. For each release mechanism, the fractions of the noble gases, elemental iodine, organic iodine, and particulates released from the core to the containment and from the containment to the .
l - environment are calculated. The output information from the CORRAL code is { used as input to the CRACIT code. l i l The CRACIT codes contains mathematical and statistical models to calculate the
!- atmospheric fission product transport and its effects on the surrounding l
environment. This code accounts for meteorological, population and evacuation data along with the inventory and timing of radionuclide release. The output of this code provides information on the population health risk and offsite
. financial damage.
i 3.8-5
__ e .
' I.
3.8.5 CONCLUDING REMARKS
/
The more than 20 computer codes used in the SSPSA appear to be adequate for
- the analysis. Many of these, particularly the accident phenomena codes, are widely used for PRA studies. A detailed assessment of each of these c:das is
) -
-t beyond the scope of our review. However, we do have some comments.
x The MARCH code was developed from the analysis performed irthe Reactor Safety
]. Study' (WASH-1400) and contains limited detail and depth about the various i '
1 l pnenwena analyzed. Care must be taken on specifying the input to t5s code I and the calculational results generally have large uncert'ainties. y The OPD arithmatic employed in'the SSPSA provides an adequate method for
- combining probability df stribu'ttons. The random variable space, however, must i
O be appropriately df rcretized in arcer to give sufficient representation to the tills of the resultant distribution. If this is not done, discrepancies can re ult. , a ( l. c,- t - _
- 6. . j. is. _ ,
.1 $' I
~
~ . . - , . L ~ v . . , l - L : , ,
}' t l ,
1 l < -i . n o
% s ,
e- w,
?
- 49 y; .,
3.8-6
- m. .
s s (A
,s ,
O'; 's . [ e S* y/ ---**U .. % . . .. - . . _ . -.
- _u
. ? .
> i
- Table 3.8-1 3 COMPUTER CODES USED IN THE SEABROOK STATION PROBABILISTIC SAFETY STUDY
, COMPUTER REFERENCE FUNCTION
. CODE l _. . . ._ _ _ . _ . . _
i BEST 3.8-1 Two-stage Bayesian Update j, BETINY 3.8-2 Betr Factor Development
! C0C0 CLASS 9 3.8-3 Containment Analysis t
I . 4 COMPS 3.84 Fire Analysis CCRRAL 3.8-5 Fission Product Release and Transport C Within Containment CCSET 3.8-6 Small Event Tree Combination - t CRACIT - Site and Risk Analysis
'l
~
i-. CROSS 3.8-7 Matrix Manipulation
, ! < ~
OP02 3.8-9 Discrete Probability Distribution r Arithmatic I
! ' ;. ELMOR2}}